HTML from database

Example of safe and not safe way to generate dynamic content

To prevent XSS injections developers should be aware how to treat data safely. Default Appframe functionality should be always safe, but always not to forget to double check. Also pay attention when implementing something custom.

Tag Content

Generate safe way

function addSafeWay(){ /* Creating tag via javascript */ var vElement = document.createElement(dsContent.currentRow().Tag); /* Creating text element */ var vText = document.createTextNode(dsContent.currentRow().Content); vElement.appendChild(vText); var vTarget = document.getElementById("cTarget"); /* Removing element in this way mostly for better performance*/ if(vTarget.firstChild){ vTarget.removeChild(vTarget.firstChild); } vTarget.appendChild(vElement); }

Generate simple but not safe way

function addSimpleNotSafeWay(){ /* Jquery shortest method to add some content */ $("#cTarget2").html(dsContent.currentRow().Content); }

Placeholder "LocalizeWeb2016" failed