Below is part of my node.js application's client code using EJS template. There is a input box and I want to show if user doesn't log in, show message into input box. and Also, input box should be unable too.
But It doesn't show properly, How can I display whole statement including space not just 'Need' but 'Need to Login' ?
<input type="text" <%= (isAuthenticated) ? '' : "value='Need to Login'" %> />
// view : 'Need
// It doesn't show after space
Below is part of my node.js application's client code using EJS template. There is a input box and I want to show if user doesn't log in, show message into input box. and Also, input box should be unable too.
But It doesn't show properly, How can I display whole statement including space not just 'Need' but 'Need to Login' ?
<input type="text" <%= (isAuthenticated) ? '' : "value='Need to Login'" %> />
// view : 'Need
// It doesn't show after space
- you're rendering this on node? i sounds like it's hitting the browser un-interpolated... – dandavis Commented Feb 20, 2016 at 9:03
- @dandavis No, It's .ejs code, I'm testing it in Google Chrome... – ton1 Commented Feb 20, 2016 at 9:09
- 1 looking at the answer, which is probably right, it was kinda hitting the browser interpolated, but not in the way i though. do watch out for XSS if any of that content can ever be dynamic. – dandavis Commented Feb 20, 2016 at 9:13
1 Answer
Reset to default 5In EJS <%= foo %> escapes HTML, while <%- foo %> does not.
In your case, <%= "value='Need to Login'" %> will render value='Need to Login', which isn't what you want.
Replacing <%= with <%- will do the trick.
In general though, be thoughtful when using <%-, especially when showing arbitrary strings or user input, as it could make you vulnerable to XSS.