Need some kind of escape/stripTags functionality
Bug #342212 reported by
Michael Nelson
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
LAZR Javascript Library |
Triaged
|
Low
|
Unassigned |
Bug Description
AFAICS, YUI doesn't have any built-in functionality like prototype's escapeHTML:
http://
The JS build-in escape() is no good, as it does urlencoding, so spaces become %20's.
We can temporarily use:
"<script>my bad stuff</
to strip out tags, but I don't think this is safe with different character sets.
BTW: Unless I'm missing something, it's not trivial to do it without the regexp.
Changed in lazr-js: | |
status: | New → Triaged |
importance: | Undecided → Low |
To post a comment you must log in.
A simple, and probably more efficient way to escape the text is to use document. createTextNode( ), but you need to append that node as opposed to just setting innerHTML. If you want to replace the entire content, it can be done by calling:
container. set('innerHTML' , ''); appendChild( document. createTextNode( a_string_ containing_ html));
container.
However, I don't think that the FormOverlay. showError( ) method is the right place to escape HTML, since it limits the ability of pages using that widget to format the error message. Since most errors messages containing potentially bogus HTML will come from the REST API, we could have the javascript REST client escape the response. responseText.