StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCombo box populates a text field - JavaScript and user input
primarykey
Id
16382777
data
AcceptedAnswerId
16466617
AnswerCount
3
ClosedDate
CommentCount
4
CommunityOwnedDate
CreationDate
2013-05-05T08:31:59.563
FavoriteCount
0
LastActivityDate
2013-05-14T15:31:44.843
LastEditDate
2013-05-05T08:40:55.673
LastEditorUserId
992988
OwnerUserId
992988
ParentId
0
PostTypeId
1
Score
0
ViewCount
1868
LastEditorDisplayName
text
Body
<h2>Setup</h2> <p>What I need in the end: a combo box and a text field. Selecting an item from the combo box populates a value in the text field. Items in the combo box come from user input.</p> <p>This is my current code that works nice:</p> <pre><code>function fill() { var select = document.getElementById("select"); var value = select.options[select.selectedIndex].value; var textfield = document.getElementById("textfield"); switch (value) { case "1": textfield.value = "some user-provided text"; break; case "2": textfield.value = "containing possibly < > & etc."; break; } } <select id="select" onchange="fill()"> <option>Select something...</option> <option value="1">Select option 1</option> <option value="2">Select option 2</option> </select> <input type="text" id="textfield"/> </code></pre> <h2>Problem</h2> <p>I am not sure what to do if the user-provided text to populate contains dangerous characters. Usually I would HTML-encode it before writing it in the HTML code, but now I am writing it into JavaScript code.</p> <p>All of the JavaScript is generated by a Java backend. I can't really create it like this:</p> <pre><code>String value = getValueFromUser(); write("textfield.value = \"" + value + "\";"); </code></pre> <p>Because then someone would enter <code>"; somethingBad(); //</code> and some other user would on selecting this option get <code>somethingBad()</code> executed.</p> <p>If I HTML-encode the value:</p> <pre><code>String value = htmlEncode(getValueFromUser()); write("textfield.value = \"" + value + "\";"); </code></pre> <p>Then (security questions aside) after selecting a value in the combo box the text field will be populated with HTML-encoded text.</p> <h2>Question</h2> <p>How do I encode the user-provided values so that:</p> <ul> <li>They cannot be misused for JavaScript code injection, and</li> <li>They look the same after being populated into the text field?</li> </ul>
Tags
<javascript><encoding><combobox><populate>
Title
Combo box populates a text field - JavaScript and user input
singulars
PostAcceptedAnswerId
1. PO
  singulars
  PostTypePostTypeId
  PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USvektor
UserOwnerUserId
1. USvektor
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
  singulars
  PostTypePostTypeId
  PTAnswer
2. PO
  singulars
  PostTypePostTypeId
  PTAnswer
3. PO
  singulars
  PostTypePostTypeId
  PTAnswer
VotesPostIdCreationDate
1. VO
  singulars
  PostPostId
  POCombo box populates a text field - JavaScript and user input
  UserUserId
  USvektor
  VoteTypeVoteTypeId
  VTBountyStart
2. VO
  singulars
  PostPostId
  POCombo box populates a text field - JavaScript and user input
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTBountyClose
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.