From the documentation, I believed that Html(value) is sufficient escaping for HTML and Javascript. But this code lets HTML tags pass without escaping.
<ul>
#*here is the loop*#
#nodes.map{ n =>
<li> #Html( n) </li> }
</ul>
Please give the code that will sufficiently escape HTML and Javascript (and all other dangerous things) before rendering the view.
I believe it's the opposite. the Html function outputs the raw string without escaping it. By default Play escapes dynamic content that's inserted into the templates. See the section on Escaping in the documentation.
Related
my variable contains a string with an apostrophe or a single quote '
i'd like to display it with EJS.
I use
<img class="card-img-top" src='<%= data[i][0].omdb.Poster %>' alt='<%= data[i][0].omdb.Title; %>'>
When data[i][0].omdb.Title; contains an apostrophe, HTML is broken.
<%= is known to escape html. But not single quote!
How to do it? Any idea please?
I can't find anything on ejs doc.
<%= is known to escape html. But not single quote! How to do it?
Use double quotes around your attributes. Then single quotes won't matter.
(If you really want to use ' then you can do ...Poster.replace(/'/g, "'")).
Is there an easy way to insert emojis with ReasonReact?
In ReactJS, you can simply type the emoji and it renders as expected, but that doesn't seem to be the case in Reason.
If you try this:
<span role="img" ariaHidden=true> {React.string("💩")} </span>
It compiles to:
React.createElement("span", {
"aria-hidden": true,
role: "img"
}, "\xf0\x9f\x92\xa9")
Which renders as:
ð©
What would be the best way to encode emojis so ReasonReact can display them as expected?
The answers to this question explain how to insert unicode, but I'm interested in how to directly type the characters without looking up the unicode for each one.
There is a special syntax provided by BuckleScript for unicode strings. Instead of quotes you need to use {j| |j}.
Try this instead
<span role="img" ariaHidden=true> {React.string({j|💩|j})} </span>
This is because of how OCaml handles strings
When I have doble marks encoded in my HTML attributes, tinymce breaks that attributes.
For example:
data-value="ab"e;----"e;"> will be seen in source code: <div data-type="more-posts" data-value="ab">Hello</div>
http://codepen.io/anon/pen/MKYrbJ
How can I fix this?
If you would have real double quotes here your HTML would not be valid anymore because attributes use them.
It will be best do handle those when you save that content to your database.
You could replace them with single quotes - those wouldn't break the markup.
When a user fills out a form how do I go about escaping the user input in express.js?
Does express.js do this by default? I can't find a source.
Do I have to use a third-party module like express-validator.js?
UPDATE
I figured out the difference between escaping and validating.
What I wanted to do was escape user input but what I should be doing is validating it, making sure it's in a valid format and then escape the output to the form if it is not valid providing the user exactly what they inputted.
<%= some_html %> will automatically escape it. <%- some_html %> will output html intact.
Exactly what kind of escaping do you need to do? Express will automatically decode (not unescape) the query string for you and make it available as req.query. URL params will also be unencoded for you automatically.
If you need to escape HTML that includes user input when rendering, you should do that via your template engine. Most template engines such as jade (= value) or handlebars or mustache ({{value}}) will escape HTML by default, and require an explicit syntax to pass data through unescaped ( != value in jade or {{{value}}} in handlebars/mustache).
I want to use mpdf to create my PDF-files because I use norwegian letters such as ÆØÅ. The information on the PDF-file would mostly consist of text written by the user in a HTML form. But, I have some problems.
When using this code:
$mpdf->WriteHTML('Text with ÆØÅ');
The PDF will show the special characters.
But when using this:
<?php
include('mpdf/mpdf.php');
$name = 'Name - <b>' . $_POST['name'] . '</b>';
$mpdf = new mPDF();
$mpdf->WriteHTML($name);
$mpdf->Output();
exit;
?>
The special characters will not show.
The HTML form looks like this:
<form action="hidden.php" method="POST">
<p>Name:</p>
<input type="text" name="name">
<input type="submit" value="Send"><input type="reset" value="Clear">
</form>
Why won't the special characters show with this method? And which method should I use?
Since echoing the POST-data back onto the website does not show the characters as well, this clearly isn't an issue with mpdf. When using content including non-Ascii characters, special care about the websites character encoding has to be taken.
From the mpdf-documentation it can be seen that it supports UTF-8 encoding, so you might want to use that for your data. POST-data is received in the same encoding that is used by the website. So if the website is in latin-1, you will need to call utf8_encode() to convert the POST-data to unicode. If the website already uses UTF-8 you should be just fine.
If you don't set a specific encoding in the website header (which you should always to avoid this kind of trouble), encoding might depend on several factors such as the operating system and configuration on the server or the encoding of the original php sourcefile which, as it turns out, is influenced by your own OS configuration and choice of editor.