Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

.attr does not unescape and escape attribute values

See original GitHub issue

When setting or getting the value of an attribute using .attr, then those values should be escaped/unescaped otherwise invalide html is created when using $.html().

An example would be if you try to store JSON encoded data in an attribute:

$(elm).attr('data-test','{"key":"value"}');

Then the resulting html would be something like that:

<tag data-test="{"key":"value"}">

And if the element looks like this:

 <tag data-test="{&quot;key&quot;:&quot;value&quot;}">

Then $(elm).attr('data-test'); return {&quot;key&quot;:&quot;value&quot;} instead of {"key":"value"}.

I have tested it with the version 0.22.0

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

3reactions
rickyblahacommented, Mar 3, 2017

Load the document using the decodeEntities: false option, then the actual characters are used instead of HTML entities:

const cheerio = require('cheerio');
const $ = cheerio.load('<button data-test=""></button>', {
  decodeEntities: false
});
$('button').attr('data-test', '{"key":"value"}');
console.log($.html()); // <button data-test="{"key":"value"}"></button>
0reactions
philipp65commented, Mar 18, 2022

How would it be possible to correctly parse

<div data-actions='[{"event":"click","action":"scrollbelow"}]' >

the single quotes get replaced by double quotes which produces wrong output.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Escaping of attribute values using jQuery.attr() - Stack Overflow
jQuery isn't escaping anything, in fact your string is literally set as the title. You can simply use: $("div").attr('title','foo\nbar').
Read more >
Javascript – Escaping of attribute values using jQuery.attr() – iTecNote
Is there a way to not have jQuery escape the value? I tried using unescape() before .attr() , but it didn't work… Best...
Read more >
Cross Site Scripting Prevention - OWASP Cheat Sheet Series
Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. Any variable that does...
Read more >
org.unbescape.html.HtmlEscape.escapeHtml4Xml java code ...
Level 1 means this method will only escape the five markup-significant characters: <, >, &, " and '. It is called XML-style in...
Read more >
Escaping HTML Attributes - Laminas Documentation
Escaping data in HTML Attribute contexts is most often done incorrectly, if not overlooked completely by developers. Regular HTML escaping can be used...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Automatically adding <html><head><body> ?

Next page

setting data attributes in html not working