Geek Answers Handbook

Escaping html inside comment tags

escaping html is ok - it will remove < and > etc.

ive the problem starts when I output the file name inside the comment tag, for example. <!-- ${filename} -->

Of course, things can be bad if you do not run away, so this becomes: <!-- <c:out value="${filename}"/> -->

the problem is that if the file has a "-" in the name, all html are screwed, since you are not allowed to have <!-- -- --> .

standard html escape does not remove these dashes, and I was wondering if anyone was familiar with the simple / standard way to avoid them.

+4
source share
5 answers

HTML comment definition :

A comment declaration begins with <!, followed by zero or more comments, and then>. A comment begins and ends with a "-" and does not contain any "-".

Of course, parsing a comment depends on the browser.

Nothing seems like an obvious solution to me, so I suggest you str_replace these double dashes.

+5
source

There is no good way to solve this problem. You cannot just avoid them because comments are read in clear text. You will need to do something like placing between a hyphen or use some kind of code for a hyphen (for example, [HYPHEN] ).

0
source

There is no universal way to exit these characters in html unless the characters have a multiple of four, so if you do this it will not work in firefox, but ---- will work. So it all depends on the browser. For example, looking at Internet Explorer 8 is not a problem; these characters are escaped properly. The same goes for Googles Chrome ... Nevertheless, Firefox even has the latest browser (3.0.4), it cannot cope with escaping these characters.

0
source

Since this is obvoius, you cannot directly display '- you can either encode them or use fn: escapeXml or fn: replace tags for corresponding notes. JSTL Documentation

0
source

You should not try to escape from HTML, the content of comments is not escaped, and this is normal if you have bare 'or' & inside.

'is its own, unrelated problem and is not really fixable. If you do not need to restore the exact string, just replace it to get rid of them (for example, replace with "__").

If you need to get a string that is completely non-JavaScript that will read the contents of a comment, use a string literal:

 <!-- 'my-string' -->

which can then read the script using eval (commentnode.data). (Yes, the actual use for eval () is finally!)

Then your escaping problem is how to put things in JS string literals, which is pretty easily resolved by escaping the "and" characters:

 <!-- 'Bob\x27s\x2D\x2Dstring' -->

(You should probably also avoid "<," & and "if you ever want to use the same escaping scheme to place a JS string literal inside a <script> block or inline handler.)

0
source

More articles:


All Articles