Question
I'm writing an application that accepts form posts for a knockout/jquery mobile application that later users can pull down the posted data and view what was filled in on the form.
A user could potentially put html or script tags in an input. Right now it appears that when the data is brought down and put back into the form any html tags or scripts are displayed in the inputs and everything is fine. Even labels that have html seem escaped correctly and do not actually display as html.
but how can I be sure that if a user inputs some html in a form input like
https://stackoverflow.com/questions/20076487
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<h1>Show This</h1>
That when it is displayed in the form later it doesn't actually mess with the display of the form or run a script tag or something.
Does Web Api or Knockout provide any sort of automatic encoding where this is mostly covered to prevent this scenario?
Solution
The text binding in Knockout will escape the value by create a text node and populating it with the value.
The html binding, on the other hand, would not do this type of escaping and could potentially execute code, so you would not want to use it with user entered input.
