0

Below is part of my node.js application's client code using EJS template. There is a input box and I want to show if user doesn't log in, show message into input box. and Also, input box should be unable too.

But It doesn't show properly, How can I display whole statement including space not just 'Need' but 'Need to Login' ?

<input type="text" <%= (isAuthenticated) ? '' : "value='Need to Login'" %> /> // view : 'Need // It doesn't show after space
Improve this question
3
  • you're rendering this on node? i sounds like it's hitting the browser un-interpolated... Commented Feb 20, 2016 at 9:03
  • @dandavis No, It's .ejs code, I'm testing it in Google Chrome... Commented Feb 20, 2016 at 9:09
  • 1
    looking at the answer, which is probably right, it was kinda hitting the browser interpolated, but not in the way i though. do watch out for XSS if any of that content can ever be dynamic. Commented Feb 20, 2016 at 9:13

1 Answer 1

Reset to default
5

In EJS <%= foo %> escapes HTML, while <%- foo %> does not.

In your case, <%= "value='Need to Login'" %> will render value=&#39;Need to Login&#39;, which isn't what you want.

Replacing <%= with <%- will do the trick.

In general though, be thoughtful when using <%-, especially when showing arbitrary strings or user input, as it could make you vulnerable to XSS.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It's working properly, and before sometimes I wondered the difference between <%= and <%-, now I got it, Thanks!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.