When I submit/POST data to the server, I need to HTMLencode its characters (the relevant ones), since disabling input check by setting validationRequest = false is not a good practice.
All solutions are finally replacing chars in string:
This is what i've written.
function htmlEncode(str) {
str = str.replace(/\&/g, "&");
str = str.replace(/\</g, "<");
str = str.replace(/\>/g, ">");
str = str.replace(/ /g, " ");
return str;
}
But apprently regex could be replaced with something much faster (don't get me wrong - I love regex).
Also, working with indexes + sub-strings seems wasteful.
What is the fastest way of doing it?
When I submit/POST data to the server, I need to HTMLencode its characters (the relevant ones), since disabling input check by setting validationRequest = false is not a good practice.
All solutions are finally replacing chars in string:
This is what i've written.
function htmlEncode(str) {
str = str.replace(/\&/g, "&");
str = str.replace(/\</g, "<");
str = str.replace(/\>/g, ">");
str = str.replace(/ /g, " ");
return str;
}
But apprently regex could be replaced with something much faster (don't get me wrong - I love regex).
Also, working with indexes + sub-strings seems wasteful.
What is the fastest way of doing it?
Share Improve this question edited Sep 24, 2012 at 9:47 vzwick 11k5 gold badges46 silver badges63 bronze badges asked Sep 24, 2012 at 9:16 Royi NamirRoyi Namir 149k144 gold badges492 silver badges829 bronze badges 11- 5 disabling input check by setting validationRequest = false - is not a good practice — Hacking around a security filter that rejects data you want to accept is worse practise. Set up your security filters to access the type of content you want to accept instead of accepting defaults designed to protect people who don't know what they are doing. – Quentin Commented Sep 24, 2012 at 9:19
- 2 stackoverflow./questions/1219860/… – Erich Kitzmueller Commented Sep 24, 2012 at 9:20
- 1 stackoverflow./questions/1219860/… (edit: @ammoQ - heh!) – vzwick Commented Sep 24, 2012 at 9:21
- 1 @RoyiNamir — Good/Great programmers don't micro-optimise until code profiling says they need to. They write code designed to maximise maintainability. – Quentin Commented Sep 24, 2012 at 9:37
- 1 @RoyiNamir — Not HTML encoding on the client in the first place will give the best performance on the client. – Quentin Commented Sep 24, 2012 at 9:38
3 Answers
Reset to default 12function htmlEncode(str) {
return String(str)
.replace(/&/g, '&')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/</g, '<')
.replace(/>/g, '>');
}
jsperf tests show this method is fast and possibly the fastest option if you're in a recent browser version
anothre way to also like this
function htmlEncode(value){
return $('<div/>').text(value).html();
}
function htmlDecode(value){
return $('<div/>').html(value).text();
}
If you are just encoding HTML entities, you can try:
function htmlEncode(str) {
var d = document.createElement('b');
d.innerText = str;
return d.innerHTML;
}
This way is not the fastest. This test indicates that regExp is faster: http://jsperf./encodehtml
However, the difference seems to be smaller the more HTML you consume.
The innerText method seems more reliable as it will exploit the native browser conversion tables for entities. With RegExp, there is always a chance that you missed something and as some previous answers indicate, consuming HTML using RegExp is not always optimal.
function htmlEncode(value){
if (value) {
return jQuery('<div />').text(value).html();
}
return '';
}
function htmlDecode(value) {
if (value) {
return $('<div />').html(value).text();
}
return '';
}