Hướng dẫn htmlspecialchars_decode in javascript
Apparently, this is harder to find than I thought it would be. And it even is so simple... Show Is there a function equivalent to PHP's htmlspecialchars built into JavaScript? I know it's fairly easy to implement that yourself, but using a built-in function, if available, is just nicer. For those unfamiliar with PHP, htmlspecialchars translates stuff like I know that
asked Nov 24, 2009 at 1:59
Bart van HeukelomBart van Heukelom 42.4k59 gold badges183 silver badges294 bronze badges 3 There is a problem with your solution code--it will only escape the first occurrence of each special character. For example:
Here is code that works properly:
UpdateThe following code will produce identical results to the above, but it performs better, particularly on large blocks of text (thanks jbo5112).
answered Jan 29, 2011 at 5:48
9 That's HTML Encoding. There's no native javascript function to do that, but you can google and get some nicely done up ones. E.g. http://sanzon.wordpress.com/2008/05/01/neat-little-html-encoding-trick-in-javascript/ EDIT:
Output: answered Nov 24, 2009 at 2:04
o.k.wo.k.w 25.1k6 gold badges64 silver badges62 bronze badges 7 Worth a read: http://bigdingus.com/2007/12/29/html-escaping-in-javascript/
Note: Only run this once. And don't run it on already encoded strings e.g.
answered Mar 13, 2012 at 2:09
Chris JacobChris Jacob 11.5k7 gold badges46 silver badges42 bronze badges 2 Here's a function to escape HTML:
And to decode:
answered Jan 17, 2017 at 14:01
Dan BrayDan Bray 6,7503 gold badges49 silver badges63 bronze badges With jQuery it can be like this:
From related question Escaping HTML strings with jQuery As mentioned in comment double quotes and single quotes are left as-is for this implementation. That means this solution should not be used if you need to make element attribute as a raw html string.
answered Sep 2, 2010 at 11:51
7 Underscore.js provides a function for this:
http://underscorejs.org/#escape It's not a built-in JavaScript function, but if you are already using Underscore.js, it is a better alternative than writing your own function if your strings to convert are not too large.
answered Jun 2, 2014 at 12:14
mer10z_techmer10z_tech 6977 silver badges12 bronze badges 2 Yet another take at this is to forgo all the character mapping altogether and to instead convert all unwanted characters into their respective numeric character references, e.g.:
Note that the specified RegEx only handles the specific characters that the OP wanted to escape but, depending on the context that the escaped HTML is going to be used, these characters may not be sufficient. Ryan Grove’s article There's more to HTML escaping than &, <, >, and " is a good read on the topic. And depending on your context, the following RegEx may very well be needed in order to avoid XSS injection:
answered Sep 8, 2014 at 16:48
FredricFredric 1,19317 silver badges16 bronze badges Chances are you don't need such a function. Since your code is already in the browser*, you can access the DOM directly instead of generating and encoding HTML that will have to be decoded backwards by the browser to be actually used. Use Use All of these will handle escaping for you. More precisely, no escaping is needed and no encoding will be performed underneath**, since you are working around HTML, the textual representation of DOM.
* This answer is not intended for server-side JavaScript users (Node.js, etc.) ** Unless you explicitly convert it to actual HTML afterwards. E.g. by accessing answered Nov 29, 2017 at 16:22
useruser 20.8k9 gold badges109 silver badges98 bronze badges 2 Use:
Sample:
answered Mar 20, 2014 at 8:31
patrickpatrick 571 silver badge1 bronze badge 2
This solution uses the numerical code of the characters, for example Although its performance is slightly worse than the solution using a map, it has the advantages:
answered Nov 2, 2018 at 14:33
user202729user202729 2,9003 gold badges20 silver badges32 bronze badges I am elaborating a bit on o.k.w.'s answer. You can use the browser's DOM functions for that.
This returns It uses the standard function
answered Feb 27, 2019 at 23:02
Jonas EberleJonas Eberle 2,5601 gold badge14 silver badges24 bronze badges By the booksOWASP recommends that "[e]xcept for alphanumeric characters, [you should] escape all characters with ASCII values less than 256 with the So here's a function that does that, with a usage example:
For Node.js users (or users using the Jade runtime in the browser), you can use Jade's escape function.
There isn't any sense in writing it yourself if someone else is maintaining it. :)
answered Oct 28, 2011 at 20:37
BMinerBMiner 16k11 gold badges52 silver badges53 bronze badges
answered Mar 16 at 23:07
answered Mar 4, 2013 at 12:35 This isn't directly related to this question, but the reverse could be accomplished in JS through:
That also works with TypeScript. answered Dec 14, 2020 at 17:52
Philippe FanaroPhilippe Fanaro 4,8835 gold badges32 silver badges63 bronze badges I hope this wins the race due to its performance and most important not a chained logic using .replace('&','&').replace('<','<')...
answered Feb 26, 2014 at 16:45
AiryAiry 4,9756 gold badges47 silver badges72 bronze badges Reversed one:
rgmt 14.3k12 gold badges48 silver badges68 bronze badges answered Dec 1, 2016 at 8:35
5 |