Skip to main content

Return to Answer

deleted 16 characters in body
Source Link
nettux
nettux
  • 5.4k
  • 4
  • 26
  • 34

Your success function should look like this:

success: function(data) { notes_div = $("<div/>"); hfour = $("<h4/>").text("Tekst zaglavlje"); hfive = $("<h5/>").text(data.datum); para = $("<p/>").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.

You should also run your data through htmlspecialchars() in PHP before outputing it.

change:

$temp[] = array('datum' => (string) $r['datum'], 'komentar' => (string) $r['komentar']);

To

$temp[] = array('datum' => htmlspecialchars( (string) $r['datum'] ), 'komentar' => htmlspecialchars( (string) $r['komentar']) );

This will prevent users from injecting their own HTML into your pages with their comments.

Your success function should look like this:

success: function(data) { notes_div = $("<div/>"); hfour = $("<h4/>").text("Tekst zaglavlje"); hfive = $("<h5/>").text(data.datum); para = $("<p/>").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.

Your success function should look like this:

success: function(data) { notes_div = $("<div/>"); hfour = $("<h4/>").text("Tekst zaglavlje"); hfive = $("<h5/>").text(data.datum); para = $("<p/>").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.

You should also run your data through htmlspecialchars() in PHP before outputing it.

change:

$temp[] = array('datum' => (string) $r['datum'], 'komentar' => (string) $r['komentar']);

To

$temp[] = array('datum' => htmlspecialchars( (string) $r['datum'] ), 'komentar' => htmlspecialchars( (string) $r['komentar']) );

This will prevent users from injecting their own HTML into your pages with their comments.

deleted 16 characters in body
Source Link
nettux
nettux
  • 5.4k
  • 4
  • 26
  • 34

Your success function should look like this:

success: function(data) { notes_div = $("<div><"<div/div>">"); hfour = $("<h4><"<h4/h4>">").text("Tekst zaglavlje"); hfive = $("<h5><"<h5/h5>">").text(data.datum); para = $("<p><"<p/p>">").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.

Your success function should look like this:

success: function(data) { notes_div = $("<div></div>"); hfour = $("<h4></h4>").text("Tekst zaglavlje"); hfive = $("<h5></h5>").text(data.datum); para = $("<p></p>").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.

Your success function should look like this:

success: function(data) { notes_div = $("<div/>"); hfour = $("<h4/>").text("Tekst zaglavlje"); hfive = $("<h5/>").text(data.datum); para = $("<p/>").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.

Source Link
nettux
nettux
  • 5.4k
  • 4
  • 26
  • 34

Your success function should look like this:

success: function(data) { notes_div = $("<div></div>"); hfour = $("<h4></h4>").text("Tekst zaglavlje"); hfive = $("<h5></h5>").text(data.datum); para = $("<p></p>").text(data.komentar); notes_div.append(hfour).append(hfive).append(para); $('#komenatri').append(); },

Other answers provided that just build your HTML as a string are not safe. They open you up to XSS (google it ;) ) but we fix that by making elements as JQuery objects and setting their .text() which makes the resultant content HTML safe.