Saturday, June 13, 2015

How to show the content from RichTextArea.getHMTL() in a div properly?

If pasting an image into RichTextArea,then.getHTML(),it will return a escaped html string like this:

"<img src="http://www.example.com/images/n1.png" border="0" height="75" width="199">"

then if 

div.setInnerHTML(escaped html string),

it will be shown as plain html:
 <img src="http://www.example.com/images/n1.png" border="0" height="75" width="199">


not expected result:an image,and other html content has this issue,for example,if inputting this content to RichTextArea:

<script>alert("evil xss");</script>

then getHTML() will return:

<script>alert("evil xss");</script>

and then div.setInnertHTML(escapted html),it will be shown as

&lt;script&gt;alert("evil xss");&lt;/script&gt;

not expected content:

<script>alert("evil xss");</script>

So,how to show them properly?

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)