jquery Ajax to escape special characters to prevent JS injection using the example _jquery

When using Ajax for a message, a problem has arisen. Because after the message content is written, the content is submitted through Ajax, and the content of the message is added to the page with JS. When browsing the message, it is also done through AJAX requests and then displayed. So, if someone writes a JS statement in a message, The statement is executed. The solution is to escape and display these special characters. If you use the JSTL tag in your JSP, it's easy. Use the <c:out value= "${r.content}"/> This way, it will automatically escape, The parameter Escapexml= "true" is omitted, which is the default. Therefore, do not use El expressions when displaying the content submitted by these users, as El is not automatically escaped, and is better done with c:out. And if it's the AJAX request and then the display, Then use the following method. It's actually very simple.

Copy Code code as follows:

var html= "<script>alert (' asdfasdf ') <\/script>";
$ ("#content"). Text (HTML);

So what happens? The solution is simply to escape these special characters, that is < turn <> to > Use jquery to escape the characters.

Copy Code code as follows:

<script>
var html= "<script>alert (' asdfasdf ') <\/scipt>";
html=$ ("#x"). Text (HTML). html ();
$ ("#content"). Append ("<div>" +html+ "</div>");
</script>
<body>
<spanid= "x" style= "Display:none" ></span>
<divid= "Content" ></div>
</body>