Dojo Toolkit: how to escape an HTML string?

Jan Van den bosch picture Jan Van den bosch · Mar 28, 2012 · Viewed 7.7k times · Source

A user of my HTML 5 application can enter his name in a form, and this name will be displayed elsewhere. More specifically, it will become the innerHTML of some HTML element.

The problem is that this can be exploited if one enters valid HTML markup in the form, i.e. some sort of HTML injection, if you will.

The user's name is only stored and displayed on the client side so in the end the user himself is the only one who is affected, but it's still sloppy.

Is there a way to escape a string before I put it in an elements innerHTML in Dojo? I guess that Dojo at one point did in fact have such a function (dojo.string.escape()) but it doesn't exist in version 1.7.

Thanks.

Answer

Craig Swing picture Craig Swing · Mar 28, 2012
dojox.html.entities.encode(myString);