Adding raw HTML to your module

Sometimes, your REST- or SOAP API sends you raw HTML as text data – for example, the excerpt or content of your WordPress blog post. If you’re anything like me, breaking down and re-formatting this perfectly fine piece of HTML is not in the list of options. So, how do we re-use this HTML code? 

In this example I’ve configured the WordPress.com REST API to give me a list of my blog posts. I want to display the Title, the Date the blog was posted, and the Excerpt on a card. The Excerpt is HTML formatted; all tags are present in the text I got from the API. Trying to insert this directly into an expression returns the following result:

HTMLunescaped

Not really what I want to show to my user. However, the solution turns out to be simple; simply set the ‘Escape Content’ property of the Expression to ‘No’ and re-publish the module – and there we go:

HTMLescaped

All tags removed! Great.

However, there is one significant danger to this method. When you have no control over what goes into the HTML content you’re trying to pick up, you could possibly enable third parties to inject malicious HTML into your expression. Displaying comments from users, for example, is risky to just escape this way. In such situations, using OutSystems’ Sanitizer API to remove such harmful content before ever displaying it is a much better idea.

Enjoy!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s