Take for example this HTML:\[code\]<td onclick="$(this).html('Wanted HTML: <br>; Unwanted HTML: <script>alert('xss')</script>')">Click to Show</td>\[/code\]As you can see, I have already escaped (using PHP) the unwanted HTML to entities. But when you click the box it executes the JavaScript.If I change \[code\].html\[/code\] to \[code\].text\[/code\], it displays the line breaks literally as well.How can I have it show the the \[code\]<br>\[/code\]s as line breaks, but the \[code\]<\[/code\]s and \[code\]>\[/code\]s as literally less than and greater than signs when you click the box?
jQuery don't parse escaped HTML in .html() method
- Thread starter Dj-Suresh
- Start date