html into input value

Question

I have a problem to load html into input field value. As the pictures.

A) When i save it:

enter image description here

B) When i load it:

enter image description here

C) The code used for create input field:

var templateField;
templateField = '<input type="text" id="' + fieldName + '" maxlength="' + args.maxlength + '" value="' + args.value + '"/>';
$controller.append(templateField);

Note: I can't append templateField first and after that do an innerHtml because i don't know what type of value will be (date, boolean, etc). This controller is used to create fields dynamic. I have this problem just when the type of value is String and the user put html values at the field.

See if this helps? http://stackoverflow.com/questions/1219860/html-encoding-in-javascript-jquery — Zach Leighton, Nov 14 '14 at 14:29
Looks like you have an XXS vulnerability. escape user input. — epascarello, Nov 14 '14 at 14:34
@ZachLeighton, i call htmlEncode passing 'teste /">' by parameter and return is 'teste /">'. But when render this value into input, it just show 'teste /'. — José Luiz, Nov 14 '14 at 15:55
@epascarello, was used escape to save and undescape to load into input value. But, when render the value, happend this topic error — José Luiz, Nov 14 '14 at 16:01

score 0 · Answer 1 · answered Nov 14 '14 at 18:33

You need to escape the values before setting them:

function replaceStr(str) {
  return str
    .replace(/&/g, "&amp;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&#39;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;");

}

value="' + replaceStr(args.value) + '"

The single quote replacement is optional in this case.

html into input value

1 Answers1