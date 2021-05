I have been toying around with a few ideas. Taking the formData approach into account and building the HTML using a separate template string — Possibly a more flexible approach

As Martyr2 mentioned the input does need to be sanitized, so I have been looking at DOMPurify as one option. The CDN can be found here

In an ideal world it would be nice to be able to pass a template sting into a function to be evaluated/parsed — unfortunately a template string is evaluated within the execution context it is defined in.

e.g.

//global execution context const template = `<p>${somevalue}</p>` // throws error Uncaught ReferenceError: somevalue is not defined // we never get to here function parse (template, data) { .... } parse(template, {...})

One way around this I could think of was to wrap the template in a function. That way it could be evaluated when needed.

<body> <div id='output'></div> <script src='https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js'></script> <script> // define the template as a separate piece of data // Due to a template string being immediately evaluated within it's context // I have wrapped it in a function so that it can be evaluated when required. const taskTemplate = ({id, taskTitle, task}) => ( ` <div id='${id}'> <h1>${taskTitle}</h1> <p>${task}</p> </div> ` ) // data that might come from localStorage or formData const data = { id: 'task1', taskTitle: 'Walk the Dog', task: 'Take Shep for a walk<img src=x onerror="alert(\'Malicious Attack\')">' // nasty code included } const { sanitize } = DOMPurify // For brevity DOMPurify.sanitze destructured // sanitize each data string value // returning a sanitized object const sanitizeData = (data, opts = {} /* see DOMPurify options */) => Object.fromEntries( Object .entries(data) .map(([key, value]) => [key, sanitize(value, opts)]) ) // data safe to store and output?! const sanitizedData = sanitizeData( data, { ALLOWED_TAGS: [] } // remove tagged blocks from strings ) output.innerHTML = taskTemplate(sanitizedData) /* output <div id="output"> <div id="task1"> <h1>Walk the Dog</h1> <p>Take Shep for a walk</p> </div> </div> */ </script> </body>

EJS Embedded Javascript Templating

A second idea. I have used pug and handlebars, but EJS is definitely my favourite of the bunch. Similar in a way to using PHP for templating. The link for the CDN can be found here

So very much the same as above with a couple of small differences

<body> <div id='output'></div> <script src='https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js'></script> <script src='https://cdn.jsdelivr.net/npm/ejs@3.1.6/ejs.min.js'></script> <script> // ejs template string // No need to wrap this in a function const taskTemplate = ` <div id='<%= id %>'> <h1><%= taskTitle %></h1> <p><%= task %></p> </div> ` // same as before const data = { id: 'task1', taskTitle: 'Walk the Dog', task: 'Take Satan for a walk<img src=x onerror="alert(\'Malicious Attack\')">' } const { sanitize } = DOMPurify const sanitizeData = (data, opts = {}) => Object.fromEntries( Object .entries(data) .map(([key, value]) => [key, sanitize(value, opts)]) ) const sanitizedData = sanitizeData(data, { ALLOWED_TAGS: [] }) // this time render the template with ejs output.innerHTML = ejs.render(taskTemplate, sanitizedData) </script> </body>

Lastly a bit rusty when it comes to localStorage, but a quick test

const data = { id: 'task1', taskTitle: 'Walk the Dog', task: 'Take Shep for a walk' } localStorage.setItem('formData', JSON.stringify(data)) // output retrieved data console.log(JSON.parse(localStorage.getItem('formData'))) // {id: "task1", taskTitle: "Walk the Dog", task: "Take Shep for a walk"}

Just some ideas. There maybe better alternatives