Dojo Toolkit: how to escape an HTML string?

javascript dojo escaping innerhtml
Jan Van den bosch picture Jan Van den bosch · Mar 28, 2012 · Viewed 7.7k times · Source

A user of my HTML 5 application can enter his name in a form, and this name will be displayed elsewhere. More specifically, it will become the innerHTML of some HTML element.

The problem is that this can be exploited if one enters valid HTML markup in the form, i.e. some sort of HTML injection, if you will.

The user's name is only stored and displayed on the client side so in the end the user himself is the only one who is affected, but it's still sloppy.

Is there a way to escape a string before I put it in an elements innerHTML in Dojo? I guess that Dojo at one point did in fact have such a function (dojo.string.escape()) but it doesn't exist in version 1.7.

Thanks.

Answer

Craig Swing picture Craig Swing · Mar 28, 2012 
dojox.html.entities.encode(myString);

Related questions

how to reset scroll position in a div using javascript

I am working on a mobile hybrid application. In my html page, I have 3 tabs. When clicking a tab, the content of the scrollable div gets changed. My problem is when I scroll down the content of div (view) and …

Read More
JavaScript simulate right click through code

I am writing some UI tests using Selenium and i have a JavaScript Tree control, using the Dojo toolkit. I have implemented a context menu for each node of the tree using the examples that Dojo provide, but I need …

Read More
How do I dynamically show and hide an entire TabContainer using DOJO?

DOJO seems to have some quirks here. I specifically need to have the TabContainer hidden when the page loads, but then become visible after the user clicks a button. The first thing I tried is setting style.display = "none" to …

Read More