Answer the question
In order to leave comments, you need to log in
How to properly escape HTML?
Question: I want to convert them from ordinary emoticons to apple emoji. I did it, but here is a question about security. I use laravel and output {{ toEmoji($text) }} in html, the text with "img" tags is returned, and emoticons are of course not displayed. If I output {!! toEmoji($text)!!}, then everything is ok, but you can send js code this way, and it will work.
How to properly screen? Or do you need to somehow save the code in the database at the stage of receiving the text, if so, how is this done? VK has emoticons and everything works well there, any JS does not skip, but displays emoticons.
Answer the question
In order to leave comments, you need to log in
{{ toEmoji($text) }} is the same {!! toEmoji($text)!!} with only escaping. What prevents you from starting screening manually?{!! toEmoji(e($text))!!}
You can, of course, clean the code from certain tags and attributes. But this is not a very good way. Today there is an onclick attribute that you successfully cut, and tomorrow they will invent a new doubleclick attribute, and through the code - tripleclick. And each time you will need to finish your parser.
It is better to approach the issue radically - to make a white list of tags and their attributes. And cut everything else without pity. True, for this you have to parse the code completely, and then parse it back (skipping only what is allowed). Writing such a parser is a little more difficult, but worth it.
Angular does not have a conditional attribute setting construct like ng-class, so either write something like attr="{{condition ? trueValue : falseValue}}", or, if it is the presence/absence of the attribute that is required, use ng-switch/ ng-if. Binding to the class of tr will also not work directly, in this case, you need to write the construction ng-class="{ 'some-class': condition }" to tr, and check for this condition in td.
Angular does not have a conditional attribute setting construct like ng-class, so either write something like attr="{{condition ? trueValue : falseValue}}", or, if it is the presence/absence of the attribute that is required, use ng-switch/ ng-if. Binding to the class of tr will also not work directly, in this case, you need to write the construction ng-class="{ 'some-class': condition }" to tr, and check for this condition in td.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question