7

When I submit/POST data to the server, I need to HTMLencode its characters (the relevant ones), since disabling input check by setting validationRequest = false is not a good practice.

All solutions are finally replacing chars in string:

This is what i've written.

function htmlEncode(str) {
    str = str.replace(/\&/g, "&");
    str = str.replace(/\</g, "&lt;");
    str = str.replace(/\>/g, "&gt;");
    str = str.replace(/ /g, "&nbsp;");
    return str;
}

But apprently regex could be replaced with something much faster (don't get me wrong - I love regex).

Also, working with indexes + sub-strings seems wasteful.

What is the fastest way of doing it?

Improve this question
11
  • 5
    disabling input check by setting validationRequest = false - is not a good practice — Hacking around a security filter that rejects data you want to accept is worse practise. Set up your security filters to access the type of content you want to accept instead of accepting defaults designed to protect people who don't know what they are doing. Commented Sep 24, 2012 at 9:19
  • 2
    stackoverflow.com/questions/1219860/… Commented Sep 24, 2012 at 9:20
  • 1
    stackoverflow.com/questions/1219860/… (edit: @ammoQ - heh!) Commented Sep 24, 2012 at 9:21
  • 1
    @RoyiNamir — Good/Great programmers don't micro-optimise until code profiling says they need to. They write code designed to maximise maintainability. Commented Sep 24, 2012 at 9:37
  • 1
    @RoyiNamir — Not HTML encoding on the client in the first place will give the best performance on the client. Commented Sep 24, 2012 at 9:38

3 Answers 3

Reset to default
12 
function htmlEncode(str) {
    return String(str)
            .replace(/&/g, '&amp;')
            .replace(/"/g, '&quot;')
            .replace(/'/g, '&#39;')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;');
}

jsperf tests show this method is fast and possibly the fastest option if you're in a recent browser version

anothre way to also like this

function htmlEncode(value){
  return $('<div/>').text(value).html();
}

function htmlDecode(value){
  return $('<div/>').html(value).text();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

this wont handle multi space.
This works for most scenarios, but this implementation of htmlDecode will eliminate any extra whitespace. So for some values of "input", input != htmlDecode(htmlEncode(input)). This was a problem for us in some scenarios. For example, if input = "<p>\t Hi \n There </p>", a roundtrip encode/decode will yield "<p> Hi There </p>
i think get text and trim() function will help you. or my be ` .replace(/ /g, ' ')`
I had to replace &#39; with &apos; for apostrophes to avoid the .net "potentially dangerous" error.
-1

If you are just encoding HTML entities, you can try:

function htmlEncode(str) {
    var d = document.createElement('b');
    d.innerText = str;
    return d.innerHTML;
}

This way is not the fastest. This test indicates that regExp is faster: http://jsperf.com/encodehtml

However, the difference seems to be smaller the more HTML you consume.

The innerText method seems more reliable as it will exploit the native browser conversion tables for entities. With RegExp, there is always a chance that you missed something and as some previous answers indicate, consuming HTML using RegExp is not always optimal.

Improve this answer

2 Comments

see my comment to Champ. same here
Yes, it’s worth noting that this method returns the browser implementation of innerText, so \n becomes <br> etc. If you need explicit control over each character, RegExp is probably better.
-1 
function htmlEncode(value){
    if (value) {
        return jQuery('<div />').text(value).html();
    }
    return '';
}
 
function htmlDecode(value) {
    if (value) {
        return $('<div />').html(value).text();
    }
    return '';
}
Improve this answer

1 Comment

This works for most scenarios, but this implementation of htmlDecode will eliminate any extra whitespace. So for some values of "input", input != htmlDecode(htmlEncode(input)). This was a problem for us in some scenarios. For example, if input = "<p>\t Hi \n There </p>", a roundtrip encode/decode will yield "<p> Hi There </p>

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.