Skip to content Skip to sidebar Skip to footer
Home / Dom / Javascript / Jquery / Xss

Is A DOM Text Node Guaranteed To Not Be Interpreted As HTML?

Post a Comment
Does anyone know whether a DOM Node of type Text is guaranteed not be interpreted as HTML by the browser? More details follow. Background I'm building a simple web comment system f

Solution 1:

Yes, this is confirmed, to the extent that for what ever browser it wasn't, that browser would have a serious defect. A text node that rendered anything but text would be a contradiction. By using document.createTextNode("some string"); and appending that node, the string is guaranteed to be rendered as text.


Solution 2:

I don't think filtering or escaping HTML tags is a very elegant solution--it's too easy to come up with a convolution that will slip past the filter

That is absolutely untrue, filtering > to &gt; and < to &lt; will completely stop any HTML injection.


Post a Comment for "Is A DOM Text Node Guaranteed To Not Be Interpreted As HTML?"