How can I convert strings with HTML entities into normalized form?

Question

I want to use jquery to convert text containing strings like   , etc into a more human-readable form. This works in jsfiddle:

<input id="stupid-approach" type="hidden">

function js_text(theVal) {
    $("#stupid-approach").html(theVal);
    x = $("#stupid-approach").html();
    return x;
}

alert(js_text("&eacute;"));

But I'm wondering if there is a way to do it that does not rely on a hidden field in the DOM?

adeneo · Accepted Answer · 2013-05-17 19:32:56Z

8

just create an empty element, there's no need to have an actual hidden element in the DOM :

function js_text(theVal) {
    return $("<div />", {html: theVal}).text();
}

FIDDLE

edited May 17, 2013 at 19:32

answered May 17, 2013 at 19:27

adeneo

319k29 gold badges410 silver badges392 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

John Dvorak Over a year ago

@Poni the comma on the first line makes the var apply to x as well

user400654 Over a year ago

@JanDvorak the original answer didn't have a comma, :p simple typo

adeneo Over a year ago

I added the comma later, and changed it now to not need a comma !

dandavis · Accepted Answer · 2013-05-17 20:21:21Z

1

in consideration of the feedback about jQuery's .html() method's evaluation of script tags, here is a safer native version that's not tooo unwieldy:

function js_text(theVal) {
    var div=document.createElement("div");
    div.innerHTML=theVal;
   return div.textContent;
}

use it instead of $(xxx).html() when you don't trust the input 100%

answered May 17, 2013 at 20:21

dandavis

16.8k5 gold badges43 silver badges38 bronze badges

Comments

RichieHindle · Accepted Answer · 2013-05-17 19:29:37Z

0

No. There's no purely programmatic way to do this that doesn't involve getting the browser to treat the string as HTML, as in your example. (Beware untrusted inputs when doing that, by the way - it's an injection attack waiting to happen.)

answered May 17, 2013 at 19:29

RichieHindle

283k49 gold badges367 silver badges408 bronze badges

3 Comments

dandavis Over a year ago

how is it an "injection attack waiting to happen"? an injection of CSS?

RichieHindle Over a year ago

Script injection. What if the text in question is <script>do_harmful_stuff()</script>?

dandavis Over a year ago

so what? nothing happens: .innerHTML-added scripts don't fire, and they never have... ED: ok, touchè. jQuery is TOO helpful here, one reason i don't like it...

Tomas Kirda · Accepted Answer · 2013-05-17 19:30:48Z

0

You should be able to just do:

return $('<div>'+ theVal + '</div>').html();

answered May 17, 2013 at 19:30

Tomas Kirda

8,4233 gold badges33 silver badges24 bronze badges

2 Comments

Strat-O Over a year ago

I made a minimum version of this function js_text(theVal) { return $("<div />").html(theVal).html(); } alert(js_text("é"));

dandavis Over a year ago

function js_text(theVal) { return $(theVal.big()).html(); } is shorter... :P

Collectives™ on Stack Overflow

How can I convert strings with HTML entities into normalized form?

4 Answers 4

3 Comments

Comments

3 Comments

2 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

3 Comments

Comments

3 Comments

2 Comments

Your Answer

Sign up or log in

Post as a guest

Related