CODEWITHSUNDEEP
htmlangularjs
Tanishq dubey
Tanishq dubey

Reputation: 1542

Render formatted HTML string on webpage

I have a bunch of HTML text that looks like this:

<p><strong>Pellentesque habitant morbi tristique</strong> senectus et netus et malesuada fames ac turpis egestas. 
Vestibulum tortor quam, feugiat vitae, ultricies eget, tempor sit amet, 
ante. Donec eu libero sit amet quam egestas semper. 
<em>Aenean ultricies mi vitae est.</em> Mauris placerat

This is text that a user will post forum, and this formatted string is then stored on a server. I am displaying this text on another page, but would like it to be render as the user formatted it, eg:

Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Vestibulum tortor quam, feugiat vitae, ultricies eget, tempor sit amet, ante. Donec eu libero sit amet quam egestas semper. Aenean ultricies mi vitae est. Mauris placerat

I have tried using <pre>, <p>, and other tags, but they just print out the raw HTML instead of using the formatting given. I am currently using Angular.JS for my page.

Sample text obtained from http://html-ipsum.com/, "Kitchen Sink" example

Upvotes: 0

Views: 510

Answers (2)

BryanH
BryanH

Reputation: 6062

You are likely storing the string uuencoded, so it displays the codes shown literally.

I'd double check your raw data store to verify this.

In any case THIS IS NOT A RECOMMENDED WAY TO APPROACH YOUR CODE. You are basically inviting a malicious user to potentially inject malicious code into the your other users.

When allowing users to input any html, it is best to only allow a small subset of tags (and a small subset of attributes), and even then it is very hard to get right.

See Cross-Site Scripting (XSS) Tutorial for more.

Upvotes: 1

Hayden Schiff
Hayden Schiff

Reputation: 3330

It sounds like, at some point during the process of storing your HTML, you have escaped the HTML entities (i.e. converted < to &lt;, that sort of thing).

I don't know what language you're working in, but it's possible to unescape HTML characters in pretty much any language. Here's an answer about doing it in JavaScript. The html_entity_decode() method will do the trick in PHP. For whatever language you're working in, just do research on "unescape html entities" in that language.

Warning: since you are unescaping HTML, there's the risk that the user might have written something naughty (i.e. like a <script> tag with some malicious JS code). Make sure you're cleaning out any nasty HTML somewhere along the line.

Upvotes: 0

Related Questions