Wikipedia:Reference desk/Archives/Computing/2021 November 17

= November 17 =

Contenteditable attribute in HTML
The web application I am developing at work needs the user to be able to edit strings of text that are then stored in the database. The design of the UI shows that the user should be able to edit normal text "in place", without using a separate edit box.

From what I've found on the Internet, this could be done by placing the text in a div element with a "contenteditable" attribute set. But there are some questions.

I specifically want to avoid HTML or JavaScript injection. Whatever the user types into the element should stay as plain text and not interfere with the actual HTML elements. Is there a guarantee for this? Also, what happens if the content in the div element includes HTML elements to begin with? J I P &#124; Talk 23:11, 17 November 2021 (UTC)


 * If code injection is a risk, the client's browser is broken. There is no hard guarantee that all web browsers out there behave as they should. But how is the user-supplied input transmitted from their browser to the server side? --Lambiam 16:08, 18 November 2021 (UTC)