I’m currently trying to build a chat app, using the official markdown package (meteor add markdown) as well as underscore’s escape function, and my template contains something like this:
<span class="message-content">
{{#markdown}}{{text}}{{/markdown}}
</span>
When I grab the text from the chat input box, I try to sanitize the input by escaping any HTML and also adding in line breaks. safeText
is then inserted into the database and displayed in the above template.
rawText = $("#chat-input-textbox").val();
safeText = _.escape(rawText).replace(/(?:\r\n|\r|\n)/g, '\n\n');
I test with the following input:
<script>alert("test")</script>
```
alert('hello');
```
This is _italics_!
Everything looks as expected, except the alert('hello');
has become alert('hello');
instead. The <pre>
blocks aren’t rendering the escaped characters, which makes sense. But the problem is, the underscore JS escape function escapes everything.
I would’ve thought this to be a common problem enough that there should be a package for it. What’s an easy way to get around this?