Display script data comes from database without executing it in javascript?

Question

I am getting myList from database and append it to my table.

$.each(myList, function (index, data) {
    var row = '<tr>';        
    row = row            
        '<td class="action"><a href=\'#\' title=\'Edit Note\' onclick="showPopup(' + '\'' + note.RID + '\'); return false;" ><img width=\'25\' height=\'20\' src=\'../images/text-editor.png\' /></a></td>'
        + '</tr>';        
    $('#tblNotes').append(row);
});

if the value of row comes from database is a script then how to show it on my table without executing the script?

One solution is, we can remove the script tag. like this:

row = row.replace("<script>", "");
row = row.replace("</script>", "");

But I don't want it. I have to show the exact value.

Thanks @mplungjan, I solved this by using the same thing. – Abhishek Raj Aug 14 '19 at 09:46 — Abhishek Raj, Aug 14 '19 at 09:46

score 1 · Answer 1 · answered Aug 14 '19 at 09:45

1

I got the answer. By using html entity, I solved this.

row = row.replace("<script>", "&lt;script&gt;");
row = row.replace("</script>", "&lt;/script&gt;");

by adding these lines, I can stop executing the script.

answered Aug 14 '19 at 09:45

Abhishek Raj

480
4
14

score 0 · Answer 2 · answered Aug 14 '19 at 09:53

Either will work

var row = `Here is some embedded script <script>alert('bla')<\/script>`

document.getElementById("x").innerText = row

row = row.replace(/</g, "&lt;");

document.getElementById("y").innerHTML = row

<span id="x"></span>
<hr/>
<span id="y"></span>

Display script data comes from database without executing it in javascript?

2 Answers2