How to escape HTML in node.js EJS view?
You are escaping the value correctly by using:
<%= bloglist[i].Text %>
If you want to allow HTML to be rendered, then you want an "unescaped" value. To do that use the following:
<%- bloglist[i].Text %>
All I did was replace the equal (=) with a dash (-).
Reference: https://github.com/visionmedia/ejs/tree/0.8.3#features
Print raw html strings on EJS
You should use html code everywhere, and use the EJS tags only where you need dynamic data. Example:
<a href='<%= user.id %>'><%= user.name %</a>
To specifically answer your question you can use <%- "<tags_here>" %>
to output unescaped HTML data.
How to fix ejs template? Does not interpret html tags as html
I think it is an error in the tutorial. When you add you the list
variable, you are putting HTML elements into a string.
Ejs will automatically escape these when you do <%= list %>
.
To get the string to be interpreted as HTML you have to change it to <%- list %>
.
Having said this, you need to be very careful when using this, as it potentially leaves the website open to people injecting scripts into your page (XSS).
You would be better off doing something like this:
<ul>
<% userlist.forEach(function(user){ %>
<li>
<a href="mailto:<%= user.email %>"><%= user.username %></a>
</li>
<% }); %>
</ul>
EJS doesn't escape characters
Figured from https://github.com/tj/ejs/tree/0.8.3#features that I was using:Escapes html by default with <%= code %>
when I should have used Unescaped buffering with <%- code %>
**Replacing =
with -
fixed the problem
Render a variable as HTML in EJS
With EJS you can have several tags:
<% code %>
... which is code that is evaluated but not printed out.
<%= code %>
... which is code that is evaluated and printed out (escaped).
<%- code %>
... which is code that is evaluated and printed out (not escaped).
Since you want to print your variable and NOT escape it, your code would be the last type (with the <%-
). In your case:
<%- my_form_content %>
For more tags, see the full EJS documentation
Meaning of escaped and unescaped value in context of ejs templating engine?
Let me show you a simple example.
Let's say you have data stored in your database and want to render it in a view ejs page. Example:
x = "<p>This is a paragraph</p>"
Now add the these lines in your ejs page
<%= x %>
<%- x %>
You are going to see this
<p>This is a paragraph</p>
This is a paragraph
As you see, <%=
tag escapes the html tags, and does not let them to be translated.
The opposite happens with <%-
tag, where html is translated (unescaped), and you see the result you wish.
<%=
tag escapes that code for security reasons. In case you want to use <%-
tag you have to be sure about the data you store on your database and want later render them.
Think about this data
x = "<script>alert('You are in danger!')</script>"
And try to render it this way
<%- x %>
Guess what! You are going to see a nice alert message informing you that if you aren't sure about your data, you are in danger.
Hope I helped you.
How to include html code in a view?
The correct code in your situation would be:
<%- partial('part1') %>
If you want to include unescaped HTML use <%-
and if you want to escape HTML (unlinkely though when including a partial) you can use <%=
.
Resources:
Node.js - EJS - including a partial
http://groups.google.com/group/express-js/browse_thread/thread/62d02af36c83b1cf
Related Topics
Html5 Validation When the Input Type Is Not "Submit"
Why Would Margin Not Be Contained by Parent Element
How to Override Inline !Important
How to HTML Encode/Escape a String? Is There a Built-In
Youtube: How to Present Embed Video with Sound Muted
Change Name of Download in JavaScript
How to Create a Transparent Triangle with Border Using CSS
What Do <Form Action="#"> and <Form Method="Post" Action="#"> Do
CSS Image Resize Percentage of Itself
Heading with Horizontal Line on Either Side
Left-Right Movement.. CSS Only Very Generic
5 Images Symmetrically Seperated with Diagonal Lines
Low Latency (< 2S) Live Video Streaming HTML5 Solutions