A user of my HTML 5 application can enter his name in a form, and this name will be displayed elsewhere. More specifically, it will become the innerHTML
of some HTML element.
The problem is that this can be exploited if one enters valid HTML markup in the form, i.e. some sort of HTML injection, if you will.
The user's name is only stored and displayed on the client side so in the end the user himself is the only one who is affected, but it's still sloppy.
Is there a way to escape a string before I put it in an elements innerHTML
in Dojo? I guess that Dojo at one point did in fact have such a function (dojo.string.escape()
) but it doesn't exist in version 1.7.
Thanks.
dojox.html.entities.encode(myString);