How to show the content from RichTextArea.getHMTL() in a div properly?

218 views Asked by At

If pasting an image into RichTextArea,then.getHTML(),it will return a escaped html string like this:

"<img src="http://www.example.com/images/n1.png" border="0" height="75" width="199">"

then if

div.setInnerHTML(escaped html string),

it will be shown as plain html:

<img src="http://www.example.com/images/n1.png" border="0" height="75" width="199">

not expected result:an image,and other html content has this issue,for example,if inputing this content to RichTextArea:

<script>alert("evil xss");</script>

then getHTML() will return:

<script>alert("evil xss");</script>

and then div.setInnertHTML(escapted html),it will be shown as

&lt;script&gt;alert("evil xss");&lt;/script&gt;

not expected content:

<script>alert("evil xss");</script>

So,how to show them properly?

1

There are 1 answers

3
Alex Rogachevsky On

Use HTML (which is rendered as div) and assign it as SafeHtmlString.