Skip to content

Instantly share code, notes, and snippets.

@jed
Forked from 140bytes/LICENSE.txt
Created May 10, 2011 16:38
Show Gist options
  • Save jed/964847 to your computer and use it in GitHub Desktop.
Save jed/964847 to your computer and use it in GitHub Desktop.
use cached DOM elements to escape HTML
function(
a // string to escape
){
return new // create a new
Option(a) // <option> element containing the HTML,
.innerHTML // and return its HTML.
}
function(a){return new Option(a).innerHTML}
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2011 Jed Schmidt <http://jed.is>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
{
"name": "escapeHTML",
"keywords": ["escape", "escaping", "HTML", "XSS"]
}
@p01
Copy link

p01 commented Sep 18, 2011

The new operator isn't required in Opera either. Oh well!

@eligrey
Copy link

eligrey commented Sep 19, 2011

If you want to also escape double quotes, you could use function(a){return new Audio(a).outerHTML.slice(27,-10)} instead.

@mathiasbynens
Copy link

Sadly, new Option(a).innerHTML and new Audio(a).outerHTML.slice(27,-10) don’t work in IE < 9; the latter fails in in Firefox 6 as well. Not sure if this is an issue though… Which browsers need to be supported in @140bytes snippets?

(Btw, related @140bytes snippet: https://gist.github.com/989212)

@jed
Copy link
Author

jed commented Sep 19, 2011

good question, @mathiasbynens... which ones do you think we should target?

@mathiasbynens
Copy link

I like to keep things challenging, so I’d vote for…

  • IE6+
  • Latest stable Opera, Firefox, Chrome, and Safari

IMHO only supporting the latest IE release would make things too easy, but that’s just me. What do others think?

@subzey
Copy link

subzey commented Sep 21, 2011

My humble opinion: script w/o ie6 is better than no script at all, but script in 140 that supports ie6 is better than one in 140 bytes that doesn't support ie6.
Maybe, non-ie6 scripts should have "ie7+" keyword?

@Daniel-Hug
Copy link

Here's the old version using the textNode's data property instead of nodeValue (browser support IE5+, and everything else):

var escapeHTML = (function() {
    var el = document.createElement('b'),
        textNode = el.appendChild(document.createTextNode(''));
    return function(str) {
        textNode.data = str;
        return el.innerHTML;
    };
})();


Minified (132 bytes):

function(a,b){a=(b=a.createElement('b')).appendChild(a.createTextNode(0))
return function(s){a.data=s
return b.innerHTML}}(document)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment