Jquery ajax escapes special characters to prevent js injection from being used in the example

At the time of using ajax to leave a message, there was a problem. Because the message content after you've written, submitted via ajax content, at the same time use js. Add the content of the message to the page to browse the message is through an ajax request, and then shows. So, if someone in the comments in the js statements, this conclusion will be performed. The solution is to escape the special characters to display. If use JSTL tags in JSP, is very simple. Direct use < C: out value = "${r.c ontent}" / > This line, will automatically be escaped, the omitted parameters escapeXML = "true", this is the default. So the display when the user submitted content, don't use of el expression because el will not automatically be escaped, in c: out better. And if is through an ajax request, and then show, then use the following method. Actually very simple also.

 
var html="<script>alert('asdfasdf')</script>"; 
$("#content").text(html); 

So what happens is the solution is simply to escape these special characters which is < Become < > Become > Using jquery to escape characters is fine

 
<head> 
<script> 
var html="<script>alert('asdfasdf')</scipt>"; 
html=$("#x").text(html).html(); 
$("#content").append("<div>"+html+"</div>"); 
</script> 
</head> 
<body> 
<spanid="x"style="display:none"></span> 
<divid="content"></div> 
</body>