How can I convert string returned from API call to proper HTML in javascript?

Question

I am calling an API command("@ReportProperty2(45899,exportdata,,'16115898')@") which returns HTML of the button but in string format and > and < are in > and < and there are double quotes are well which breaks my code at the following line:

const aaa = "@ReportProperty2(45899,exportdata,,'16115898')@";

RESULT FROM THE COMMAND:

"&lt;button type=button class=Button onclick="openwp('1677008','RHpdFBx7GS9YGFEwFmUUCyE4Ih8lHyA!H2JbUENBa1BV')" &gt;&lt;i class="fa fa-pencil-square-o" style="margin: 0 4px 0 0"&gt;&lt;/i&gt;Enter Budget&lt;/button&gt;"

I have tried replacing but it is throwing "unexpected token: identifier" error.

How can I convert the result to the following:

<button type="button" 
        class="Button" 
        onclick="openwp('1677008','RHpdFBx7GS9YGFEwFmUUCyE4Ih8lHyA!H2JbUENBa1BV')">
  <i class="fa fa-pencil-square-o" 
     style="margin: 0 4px 0 0" 
     data-original-title="" 
     title="">
  </i>
  Enter Budget
</button>

Please see pic for more info:

I tried Lodash unescape,decodeHTMLEntities by Slavik Meltser, decodeEntities but it doesn't work.

Be aware of xss https://de.m.wikipedia.org/wiki/Cross-Site-Scripting — Dominik Lovetinsky, Jun 14 '22 at 19:55
Does this answer your question? [Unescape HTML entities in JavaScript?](https://stackoverflow.com/questions/1912501/unescape-html-entities-in-javascript) — Heretic Monkey, Jun 14 '22 at 20:09
Even if you are able to decode these `>` (and other html entities) your API response isn't formatted correctly - there is no quotes around, for example `type=button class=Button` so you'll need to do something to handle those cases. And then again, definitely consider the XSS vulnerability you are opening yourself up to. If any data from this API comes from users _in any way_ it can be exploited. — Tom, Jun 14 '22 at 20:11
I tried Lodash unescape,decodeHTMLEntities by Slavik Meltser, decodeEntities but it doesn't work. — Karim Ali, Jun 14 '22 at 20:33

score 0 · Answer 1 · answered Jun 14 '22 at 20:37

0

Depending on your template engine, there may be a more appropriate method, but assuming this @ output escapes as HTML, you can put it in an (non-rendered) HTML context:

<template id="aaa-html">@ReportProperty2(45899,exportdata,,'16115898')@</template>

Then you can select the element and read it from JavaScript:

const aaa = document.getElementById('aaa-html').innerHTML;

answered Jun 14 '22 at 20:37

Ry-

218,210
55
464
476

It doesn't work. The page is even parsing < in template id="aaa-html" with this code: <template id="aaa-html"><button type=button class=Button onclick="openwp('1677008','RHpdFBx7GS9YGFEwFmUUCyE4Ih8lHyA!H2JbUENBa1BV')" ><i class="fa fa-pencil-square-o" style="margin: 0 4px 0 0"></i>Enter Budget</button></template> and it breaks. – Karim Ali Jun 14 '22 at 20:50

How can I convert string returned from API call to proper HTML in javascript?

1 Answers1