Sometimes, your REST- or SOAP API sends you raw HTML as text data – for example, the excerpt or content of your WordPress blog post. If you’re anything like me, breaking down and re-formatting this perfectly fine piece of HTML is not in the list of options. So, how do we re-use this HTML code?
In this example I’ve configured the WordPress.com REST API to give me a list of my blog posts. I want to display the Title, the Date the blog was posted, and the Excerpt on a card. The Excerpt is HTML formatted; all tags are present in the text I got from the API. Trying to insert this directly into an expression returns the following result:
Not really what I want to show to my user. However, the solution turns out to be simple; simply set the ‘Escape Content’ property of the Expression to ‘No’ and re-publish the module – and there we go:
All tags removed! Great.
However, there is one significant danger to this method. When you have no control over what goes into the HTML content you’re trying to pick up, you could possibly enable third parties to inject malicious HTML into your expression. Displaying comments from users, for example, is risky to just escape this way. In such situations, using OutSystems’ Sanitizer API to remove such harmful content before ever displaying it is a much better idea.