What Is the Htmlspecialchars Equivalent in JavaScript

What is the HtmlSpecialChars equivalent in JavaScript?

There is a problem with your solution code--it will only escape the first occurrence of each special character. For example:

escapeHtml('Kip\'s <b>evil</b> "test" code\'s here');
Actual:   Kip's <b>evil</b> "test" code's here
Expected: Kip's <b>evil</b> "test" code's here

Here is code that works properly:

function escapeHtml(text) {
  return text
      .replace(/&/g, "&")
      .replace(/</g, "<")
      .replace(/>/g, ">")
      .replace(/"/g, """)
      .replace(/'/g, "'");
}

Update

The following code will produce identical results to the above, but it performs better, particularly on large blocks of text (thanks jbo5112).

function escapeHtml(text) {
  var map = {
    '&': '&',
    '<': '<',
    '>': '>',
    '"': '"',
    "'": '''
  };
  
  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
}

Node.js Equivalent for htmlspecialchars in php

First of all, if you set your encoding correctly (on the html page and in the database or convert before inserting/after selecting) you shouldn't need to convert special chars to HTML entities to avoid the described behaviour. htmlspecialchars() should be used to prevent people from posting HTML (converting < and > to < and >).

If you still need to escape HTML special characters, take a look at this NPM package : https://www.npmjs.com/package/html-entities

Use it like this :

const Entities = require('html-entities').AllHtmlEntities;
const entities = new Entities();

console.log(entities.encode("éèàâê");

will output

éèàâê

How to convert html special chars to ordinary HTML?

How to decode HTML entities using jQuery? and jQuery .appendTo method worked for me.

Can I escape HTML special chars in JavaScript?

Here's a solution that will work in practically every web browser:

function escapeHtml(unsafe)
{
    return unsafe
         .replace(/&/g, "&")
         .replace(/</g, "<")
         .replace(/>/g, ">")
         .replace(/"/g, """)
         .replace(/'/g, "'");
 }

If you only support modern web browsers (2020+), then you can use the new replaceAll function:

const escapeHtml = (unsafe) => {
    return unsafe.replaceAll('&', '&').replaceAll('<', '<').replaceAll('>', '>').replaceAll('"', '"').replaceAll("'", ''');
}

does htmlspecialchars escape javascript?

Well, to answer your question, it depends. If you're doing:

<p><?php echo htmlspecialchars($userInput); ?></p>

Then they will not be able to inject scripts into your application.

HOWEVER:

If you're trying to do this:

<script>
    var foo = '<?php echo htmlspecialchars($userInput); ?>';
</script>

You are not safe. See Rule #3 on OWASP's XSS Cheat Sheet.

To protect that, you'd need to use a JS aware escaping function. You could json encode it if you just need a string literal, but I would use ESAPI for PHP to take care of this.

Convert special characters to HTML in JavaScript

You need a function that does something like

return mystring.replace(/&/g, "&").replace(/>/g, ">").replace(/</g, "<").replace(/"/g, """);

But taking into account your desire for different handling of single/double quotes.

htmlentities function in javascript

There is a library for this. It has an equivalent to PHP htmlentities function:
http://phpjs.org/functions/htmlentities/

Encode HTML entities in JavaScript

You can use regex to replace any character in a given unicode range with its html entity equivalent. The code would look something like this:

var encodedStr = rawStr.replace(/[\u00A0-\u9999<>\&]/g, function(i) {
   return '&#'+i.charCodeAt(0)+';';
});

This code will replace all characters in the given range (unicode 00A0 - 9999, as well as ampersand, greater & less than) with their html entity equivalents, which is simply &#nnn; where nnn is the unicode value we get from charCodeAt.

See it in action here: http://jsfiddle.net/E3EqX/13/ (this example uses jQuery for element selectors used in the example. The base code itself, above, does not use jQuery)

Making these conversions does not solve all the problems -- make sure you're using UTF8 character encoding, make sure your database is storing the strings in UTF8. You still may see instances where the characters do not display correctly, depending on system font configuration and other issues out of your control.

Documentation

  • String.charCodeAt - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/charCodeAt
  • HTML Character entities - http://www.chucke.com/entities.html

Related Topics

Encrypt With PHP, Decrypt With JavaScript (Cryptojs)

Difference Between Properties and Attributes in Html

When Is a Cdata Section Necessary Within a Script Tag

Get Class List For Element With Jquery

Google Maps API V3: How to Remove All Markers

What Browsers Support Html5 Websocket API

Parsing Json Objects For HTML Table

How to Insert a Row in an HTML Table Body in JavaScript

Disabled Href Tag

How to Make a Link Open Multiple Pages When Clicked

How to Show Progress Bar While Loading, Using Ajax

Set Cookie and Get Cookie With JavaScript

Jquery Mobile: Markup Enhancement of Dynamically Added Content

How to Make a ≪Button≫ Not Submit a Form

Make Header and Footer Files to Be Included in Multiple HTML Pages

How to Disable HTML Links

Refresh Part of Page (Div)

Capture Iframe Load Complete Event


Leave a reply



Submit