The insertion looks like this:
a_span.innerHTML() = input.value
To prevent any kind of attacks in PHP I use htmlspecialchars. Should I use this
for protection or native escape is enough?
-
1if your update remains client-side, I can't see why you would need to escape the input. Yet, you should escape when it is sumbited server-side and you need to execute the input (for table update for instance)JMax– JMax2011-09-25 18:27:44 +00:00Commented Sep 25, 2011 at 18:27
-
The update remains client-side, but if the user inputs some special chars, he will break the layout and it would be a bugDan– Dan2011-09-25 18:30:53 +00:00Commented Sep 25, 2011 at 18:30
-
Yes, I think @JMax is right, no worries about the attacjsDan– Dan2011-09-25 18:31:46 +00:00Commented Sep 25, 2011 at 18:31
Add a comment
|
1 Answer
First off, I'm assuming you intended to write a_span.innerHTML = input.value, since innerHTML isn't a function.
Secondly, you should use document.createTextNode() instead of innerHTML if you're worried about your text being interpreted as HTML entities. Something like a_span.innerHTML="";a_span.appendChild(document.createTextNode(input.value)); should work okay.
