¿JQuery admite el escape html de los datos recuperados de la llamada ajax?

La mayoría de las MVC frameworks support escaping of server data, before putting them on the web page. I couldn't find any option in jQuery's ajax method to do the same. In fact, I couldn't even find a native jQuery function to escape strings for proper display on the page (Putting the contents in a divy llamando .html() on it, is not guaranteed to preserve white space). Why is it that this function is not available in jQuery, but you can find it in underscore y prototype libraries ?

preguntado el 28 de agosto de 12 a las 10:08

1 Respuestas

I think you mean you want to prevent HTML markup (e.g. <br/>, <a>, &) from being treated as HTML markup: you just want to display it straight to the user. This helps to prevent attacks like XSS (cross-site scripting).

This is actually very easy with jQuery, but it isn't the same as escaping. It's just using the text method, which means the content is treated as textual content, not as markup.

$.ajax({
    url: 'someurl',
    success: function(data) {
        $('#yourElement').text(data);
    }
});

It is different working client-side to server-side. Working server-side, you are dealing with markup, which needs to be escaped to stop the parser treating content that should be text as markup. On the client-side, the markup is already parsed, so all you need is to tell the browser "this is text content". This can be done in a variety of ways (innerText, document.createTextNode, o incluso document.createCDATASection); jQuery's data method does this for you.

Respondido 28 ago 12, 10:08

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.