What is the HtmlSpecialChars equivalent in JavaScript?
There is a problem with your solution code--it will only escape the first occurrence of each special character. For example:
escapeHtml('Kip\'s <b>evil</b> "test" code\'s here');
Actual: Kip's <b>evil</b> "test" code's here
Expected: Kip's <b>evil</b> "test" code's here
Here is code that works properly:
function escapeHtml(text) {
return text
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}
Update
The following code will produce identical results to the above, but it performs better, particularly on large blocks of text (thanks jbo5112).
function escapeHtml(text) {
var map = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
};
return text.replace(/[&<>"']/g, function(m) { return map[m]; });
}
Node.js Equivalent for htmlspecialchars in php
First of all, if you set your encoding correctly (on the html page and in the database or convert before inserting/after selecting) you shouldn't need to convert special chars to HTML entities to avoid the described behaviour. htmlspecialchars()
should be used to prevent people from posting HTML (converting <
and >
to <
and >
).
If you still need to escape HTML special characters, take a look at this NPM package : https://www.npmjs.com/package/html-entities
Use it like this :
const Entities = require('html-entities').AllHtmlEntities;
const entities = new Entities();
console.log(entities.encode("éèàâê");
will output
éèàâê
How to convert html special chars to ordinary HTML?
How to decode HTML entities using jQuery? and jQuery .appendTo
method worked for me.
Can I escape HTML special chars in JavaScript?
Here's a solution that will work in practically every web browser:
function escapeHtml(unsafe)
{
return unsafe
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}
If you only support modern web browsers (2020+), then you can use the new replaceAll function:
const escapeHtml = (unsafe) => {
return unsafe.replaceAll('&', '&').replaceAll('<', '<').replaceAll('>', '>').replaceAll('"', '"').replaceAll("'", ''');
}
does htmlspecialchars escape javascript?
Well, to answer your question, it depends. If you're doing:
<p><?php echo htmlspecialchars($userInput); ?></p>
Then they will not be able to inject scripts into your application.
HOWEVER:
If you're trying to do this:
<script>
var foo = '<?php echo htmlspecialchars($userInput); ?>';
</script>
You are not safe. See Rule #3 on OWASP's XSS Cheat Sheet.
To protect that, you'd need to use a JS aware escaping function. You could json encode it if you just need a string literal, but I would use ESAPI for PHP to take care of this.
Convert special characters to HTML in JavaScript
You need a function that does something like
return mystring.replace(/&/g, "&").replace(/>/g, ">").replace(/</g, "<").replace(/"/g, """);
But taking into account your desire for different handling of single/double quotes.
htmlentities function in javascript
There is a library for this. It has an equivalent to PHP htmlentities function:
http://phpjs.org/functions/htmlentities/
Encode HTML entities in JavaScript
You can use regex to replace any character in a given unicode range with its html entity equivalent. The code would look something like this:
var encodedStr = rawStr.replace(/[\u00A0-\u9999<>\&]/g, function(i) {
return ''+i.charCodeAt(0)+';';
});
This code will replace all characters in the given range (unicode 00A0 - 9999, as well as ampersand, greater & less than) with their html entity equivalents, which is simply nnn;
where nnn
is the unicode value we get from charCodeAt
.
See it in action here: http://jsfiddle.net/E3EqX/13/ (this example uses jQuery for element selectors used in the example. The base code itself, above, does not use jQuery)
Making these conversions does not solve all the problems -- make sure you're using UTF8 character encoding, make sure your database is storing the strings in UTF8. You still may see instances where the characters do not display correctly, depending on system font configuration and other issues out of your control.
Documentation
String.charCodeAt
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/charCodeAt- HTML Character entities - http://www.chucke.com/entities.html
Related Topics
Encrypt With PHP, Decrypt With JavaScript (Cryptojs)
Difference Between Properties and Attributes in Html
When Is a Cdata Section Necessary Within a Script Tag
Get Class List For Element With Jquery
Google Maps API V3: How to Remove All Markers
What Browsers Support Html5 Websocket API
Parsing Json Objects For HTML Table
How to Insert a Row in an HTML Table Body in JavaScript
How to Make a Link Open Multiple Pages When Clicked
How to Show Progress Bar While Loading, Using Ajax
Set Cookie and Get Cookie With JavaScript
Jquery Mobile: Markup Enhancement of Dynamically Added Content
How to Make a ≪Button≫ Not Submit a Form
Make Header and Footer Files to Be Included in Multiple HTML Pages