1

I am looking for an ideal way to display a URL exactly as it is in HTML using vanillaJS.

http://x.com/index.php?file\=Test&amp;op\="&gt;<script>window.alert('test');</script>

I tried <xmp> tag that works but it is an obsolete tag.

Can someone help with a way to stringify the URL to display as it is.

This is different from the other question as it needs to prevent XSS and show the URL exactly as given.

Cœur
  • 37,241
  • 25
  • 195
  • 267
PH.
  • 536
  • 7
  • 17
  • 2
    Have you tried wrapping in a `
    ` or `` tag?
     – Rob M. Aug 08 '17 at 18:56
  • Yes but loose '& g t ;' plus the xss gets triggered – PH. Aug 08 '17 at 19:03
  • Possible duplicate of [Display HTML code in HTML](https://stackoverflow.com/questions/2820453/display-html-code-in-html) Older question, so it still shows the deprecated `xmp`, but many of the other answers are still valid) – Daniel Beck Aug 08 '17 at 19:11
  • @RobM. — It isn't code so `` makes no sense, whitespace doesn't have any significance so `
    ` makes no sense, and it contains characters with special meaning in HTML that you don't address at all.
     – Quentin Aug 08 '17 at 19:13
  • @Quentin it has script tags with an alert, I’m pretty sure that is code. Also, it was a comment, not an answer - I wasn’t trying to address all of OPs issues (html entities, etc) – Rob M. Aug 08 '17 at 19:18

1 Answers1

1

Convert it to a text node:

var node = document.createTextNode(url);

… then add it to the document somewhere:

document.body.appendChild(node);
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • This is how I did it using Quentin's answer. Thanks Quentin! var div = document.createElement('div'); div.appendChild(document.createTextNode('h t t p : / / x . c o m / i n d e x . p h p ? f i l e \ = T e s t & a m p ; o p \ = " & g t ; < s c r i p t > w i n d o w . a l e r t ( ' t e s t ' ) ; < / s c r i p t >')); return '
    ' + div.innerHTML + '
    ';     – PH. Aug 08 '17 at 20:32