How to Escape HTML in Node.Js Ejs View

How to escape HTML in node.js EJS view?

You are escaping the value correctly by using:

<%= bloglist[i].Text %>

If you want to allow HTML to be rendered, then you want an "unescaped" value. To do that use the following:

<%- bloglist[i].Text %>

All I did was replace the equal (=) with a dash (-).

Reference: https://github.com/visionmedia/ejs/tree/0.8.3#features

Print raw html strings on EJS

You should use html code everywhere, and use the EJS tags only where you need dynamic data. Example:

<a href='<%= user.id %>'><%= user.name %</a>

To specifically answer your question you can use <%- "<tags_here>" %> to output unescaped HTML data.

How to fix ejs template? Does not interpret html tags as html

I think it is an error in the tutorial. When you add you the list variable, you are putting HTML elements into a string.

Ejs will automatically escape these when you do <%= list %>.

To get the string to be interpreted as HTML you have to change it to <%- list %>.

Having said this, you need to be very careful when using this, as it potentially leaves the website open to people injecting scripts into your page (XSS).

You would be better off doing something like this:

<ul>
  <% userlist.forEach(function(user){ %>
    <li>
      <a href="mailto:<%= user.email %>"><%= user.username %></a>
    </li>
  <% }); %>
</ul>

EJS doesn't escape characters

Figured from https://github.com/tj/ejs/tree/0.8.3#features that I was using:

Escapes html by default with <%= code %> when I should have used
Unescaped buffering with <%- code %>

**Replacing = with - fixed the problem

Render a variable as HTML in EJS

With EJS you can have several tags:

    <% code %>

... which is code that is evaluated but not printed out.

    <%= code %>

... which is code that is evaluated and printed out (escaped).

    <%- code %>

... which is code that is evaluated and printed out (not escaped).

Since you want to print your variable and NOT escape it, your code would be the last type (with the <%-). In your case:

    <%- my_form_content %>

For more tags, see the full EJS documentation

Meaning of escaped and unescaped value in context of ejs templating engine?

Let me show you a simple example.

Let's say you have data stored in your database and want to render it in a view ejs page. Example:

x = "<p>This is a paragraph</p>"

Now add the these lines in your ejs page

<%= x %>
<%- x %>

You are going to see this

<p>This is a paragraph</p> 
This is a paragraph

As you see, <%= tag escapes the html tags, and does not let them to be translated.

The opposite happens with <%- tag, where html is translated (unescaped), and you see the result you wish.

<%= tag escapes that code for security reasons. In case you want to use <%- tag you have to be sure about the data you store on your database and want later render them.

Think about this data

x = "<script>alert('You are in danger!')</script>"

And try to render it this way

<%- x %>

Guess what! You are going to see a nice alert message informing you that if you aren't sure about your data, you are in danger.

Hope I helped you.

How to include html code in a view?

The correct code in your situation would be:

<%- partial('part1') %>

If you want to include unescaped HTML use <%- and if you want to escape HTML (unlinkely though when including a partial) you can use <%=.

Resources:

Node.js - EJS - including a partial

http://groups.google.com/group/express-js/browse_thread/thread/62d02af36c83b1cf

---

Related Topics