2

I am using that block of code and bring told by a code validator that this should be sanitized.

What is wrong with it and how can i sanitize it?

el1 = document.getElementById('quote'); //this is fine el1.innerHTML = quoteNew; //this should be sanitized
Improve this question
4
  • 1
    Where does quoteNew come from? Commented May 16, 2017 at 23:24
  • 2
    If it is supposed to be just text, then the safe way is el1.textContent = quoteNew; Commented May 16, 2017 at 23:27
  • quoteNew is a string with some css added to it Commented May 17, 2017 at 6:15
  • @GabyakaG.Petrioli : It works!. Please make an answer so that I can choose your answer as best answer. Commented May 17, 2017 at 6:21

1 Answer 1

Reset to default
5

If the contents of quoteNew are just text to display, then use the textContent property of the element.

 el1.textContent = quoteNew;
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

What if I need to display HTML?
@S.W.G. then you need to sanitize it according to your requirements. That is if you do not know where the contents of quoteNew are coming and if they are safe to render.
In my case contant comes from HTTPS request to my server, the only case it could be injected malicious content is if the user connects using bad WiFi so to exclude MITM attack I found a library to sanitize it, just to be extra safe.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.