If pasting an image into RichTextArea,then.getHTML(),it will return a escaped html string like this:
"<img src="http://www.example.com/images/n1.png" border="0" height="75" width="199">"
then if
div.setInnerHTML(escaped html string),
it will be shown as plain html:
<img src="http://www.example.com/images/n1.png" border="0" height="75" width="199">
not expected result:an image,and other html content has this issue,for example,if inputing this content to RichTextArea:
<script>alert("evil xss");</script>
then getHTML() will return:
<script>alert("evil xss");</script>
and then div.setInnertHTML(escapted html),it will be shown as
<script>alert("evil xss");</script>
not expected content:
<script>alert("evil xss");</script>
So,how to show them properly?
Use HTML (which is rendered as div) and assign it as SafeHtmlString.