Re: Coding and decoding HTML entities

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Anthony Jones wrote:
"Dennis Marks" <denmarks@xxxxxxxxx> wrote in message
news:%23A1GecuAJHA.1396@xxxxxxxxxxxxxxxxxxxxxxx
Dennis Marks wrote:
Martin Honnen wrote:
Dennis Marks wrote:
Is there a way in Javascript to convert from a character to its entity
and from its entity to a character? I wish to do it in a form. For
example someone enters &hearts; into the form and a heart is shown in
the output.
Well if you are talking about JavaScript used in the browser in a HTML
document then innerHTML helps e.g.
var span = document.createElement('span');
span.innerHTML = '&hearts;';
someElement.appendChild(span);

> Also the reverse where a heart in entered into the form and
&hearts; is displayed.
For that you would need to set up some data structure that maps
characters to entity names.

I have tried various versions of your code and can't get it to work. Can
you give the exact code assuming a form named "Form3", input field
"Field6", and output field "Field7"?
The following works. Is there a better way.

var str1 = document.theForm3.field6.value;
var str2 = document.createElement("str2");

Its not a good idea to use "str2" as an element name, use an appropriate
HTML element such as "span" or "div".

str2.innerHTML = str1;
document.theForm3.field7.value = str2.innerHTML;

Basically you are allowing the user to enter HTML code into a field that you
then render on your page. The danger is that this could allow someone to do
something malicious. A user could enter something like this:-

<img src="reference to image" onload="malicious jscript here" />

or some other similar thing.

You should therefore reject the < character in any input the user will need
to use the &lt; entity for a visible < in the rendering.



Isn't anything malicious only going to cause problems on the person's own view of the page? I don't see how it could affect the source or anyone else's view of the page. The form goes nowhere. It just displays.
Here is my page.
http://www.geocities.com/denmarks/SpecialChars.html
.

Relevant Pages

  • Re: Coding and decoding HTML entities
    ... example someone enters into the form and a heart is shown in ... you give the exact code assuming a form named "Form3", input field ... then render on your page. ... You should therefore reject the < character in any input the user will need ...
    (microsoft.public.scripting.jscript)
  • Re: I made sausage balls - pix
    ... aware that one is also presenting one's character (you being a "Blue ... Ribbon" type 'o gal you take this to heart and act accordingly, ...
    (rec.food.cooking)
  • Re: Australia v England - 1st Test
    ... Day 3 is going to be a huge lesson in ... old-fashioned character and heart. ... On the bright side [sickly grin] ...
    (rec.sport.cricket)
  • Re: OLTL-ABC Email Spoilers
    ... totally having his heart (literally - when Viki needed a heart ... "Life with Bonnie" and his OLTL character was put into a coma to ... the heart transplant story..."Life with Bonnie" was cancelled by ABC ...
    (rec.arts.tv.soaps.abc)
  • Re: Will Yankees home run fever put them in a slump?
    ... :> You cannot measure character and heart and that is a great determining ... :> factor as to how much success a player can bring to a team. ... Past performance can usually be summed up pretty well in ...
    (alt.sports.baseball.ny-yankees)