Menu
In my application, there are times when some text may or may not be html escaped (depending on where the data came from). I want to ensure the non-escaped text gets escaped, but the already escaped text doesn't get escaped again.
How do people typically solve this?
998
You can't tell from the data.
For example:
Bob & Alice
… could be "The HTML representation of Bob & Alice" or it could also be "The plain text representation of Bob & Alice" (e.g. from an HTML tutorial).
Since you say:
depending on where the data came from
… keep track of where it comes from, and make sure you know if a source provides trusted HTML or plain text.
If you don't know, then how you handle it will depend on the context. The safe option would be to assume it is always plain text and thus always encode it. That will protect you from scripting injection attacks.
84
One way is to unescape the string and compare it to the original. If it is the same, the original is unescaped data, otherwise it is escaped data.
var str = '<data>';
// Escape unescaped data
if (unescape(str) === str) {
str = escape(str);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
