I’m building a web application (using prototype) that requires the addition of large chunks of HTML into the DOM. Most of these are rows that contain elements with all manner of attributes.
Currently I keep a blank row of HTML in a variable and
var blankRow = '<tr><td>'
+'<a href="{LINK}" onclick="someFunc(\'{STRING}\');">{WORD}</a>'
+'</td></tr>';
function insertRow(o) {
newRow = blankRow
.sub('{LINK}',o.link)
.sub('{STRING}',o.string)
.sub('{WORD}',o.word);
$('tbodyElem').insert( newRow );
}
Now that works all well and dandy, but is it the best practice?
I have to update the code in the blankRow when I update code on the page, so the new elements being inserted are the same. It gets sucky when I have like 40 lines of HTML to go in a blankRow and then I have to escape it too.
Is there an easier way? I was thinking of urlencoding and then decoding it before insertion but that would still mean a blankRow and lots of escaping.
What would be mean would be a eof function a la PHP et al.
$blankRow = <<<EOF
text
text
EOF;
That would mean no escaping but it would still need a blankRow.
What do you do in this situation?
SOLVED
Ended up using a DOMBuilder in prototype. No other libraries were needed:
$w('a div p span img table thead td th tr tbody tfoot input').each(function(e) {
window['$' + e] = function() {
return new Element(e, arguments[0]);
}
});
newPart = $div({id: 'partition-4'})
.insert( $p()
.insert('<b>Stuff</b>')
)
.insert( $p({
id: 'a-p'})
.insert('<b>More stuff</b>')
);
$('parentDiv').insert(newPart);
No. In fact you’ve got HTML-injection problems leading to bugs, and in the worst case where the injected strings may contain user-submitted content, XSS security holes.
When you put plain text content and attribute values into an HTML string, you must HTML-encode them. In PHP, you have to call
htmlspecialchars()on strings going into HTML to do it. In JavaScript, you don’t get a built-in HTML-escaping function, so you have to make your own, eg. by usings.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"')on the string going into the HTML.That’s a whole new level of escaping mess. In a JavaScript string literal inside an event handler attribute, you would have to JS-encode the string (
\-escaping'and\plus a few Unicode characters for completeness) and then HTML-encode the results. Otherwise the string can break out of its string-literal delimiter and inject arbitrary JS code. Avoid inline event handler attributes in all cases, but especially in templating.Creating page content with HTML strings sucks. You are very likely to make escaping errors and compromise the security of your application. Use DOM-like methods instead and you don’t have to worry about this. You seem to be using jQuery, so try the jQuery 1.4 element creation shortcuts:
or, keep your blank row actually inside the document as HTML, but then hide it (
display: none) or detach it from the document at start time (removeChildor jQuerydetach). Then when you want a new row, clone the blank row and make the changes you need:If you must create content from string templates, ensure your templating function HTML-escapes every replacement by default, and attach events by selecting nodes inside the parsed content to call
click(function() { ... })on. Or use event delegation (eg. jQuerylive()) to handle events without having to bind to new nodes when added.