<< How the IIS SEO Toolkit Saved ... | Home | ASP.NET MVC 2 RC Released >>

Live Preview jQuery Plugin

Many web applications (such as this blog) allow users to enter HTML as a comment. For security reasons, the set of allowed tags is tightly constrained by logic running on the server. Because of this, it’s helpful to provide a preview of what the comment will look like as the user is typing the comment.

sneak peek - by ArminH on sxc.huThat’s exactly what my live preview jQuery plugin does.

See it in action

This is the first jQuery Plugin I’ve written, so I welcome feedback. I was in the process of converting a bunch of JavaScript code in Subtext to make use of jQuery, significantly reducing the amount of hand-written code in the project. Needless to say, it was a lot of fun. I decided to take our existing live preview code and completely rewrite it using JavaScript.

All you need for the HTML is an input, typically a TEXTAREA and an element to use as the preview, typically a DIV

<textarea class="source"></textarea>

<label>Preview Area</label>
<div class="preview"></div>

And the following script demonstrates one way to hook up the preview to the textarea.

$(function() {
    $('textarea.source').livePreview({
        previewElement: $('div.preview'),
        allowedTags: ['p', 'strong', 'br', 'em', 'strike'],
        interval: 20
    });
});

One thing that’s different between this implementation and others I’ve seen is you can specify a set of allowed tags. When typing in the textbox, the preview will render any tags in that list. If the user types in tags which are not in that list, the preview will HTML encode the tags.

Keep in mind that this plugin is for previewing what comments will look like and should not be used as validation! The preview might not exactly match your server-side logic.

Also for fun, I’m hosting the source code on GitHub as a way to force myself to learn what all the fuss is about GIT.

What others have said

Requesting Gravatar... Mikael Söderström Dec 15, 2009 3:05 PM
# re: Live Preview jQuery Plugin
That´s great, good job! :-)
Requesting Gravatar... Damon Stephenson Dec 15, 2009 3:33 PM
# re: Live Preview jQuery Plugin

Hello


<br/>
Boo
Hello Boo

Boo


argh




Seems a little buggy so far. The last boo and argh are em'd :/

Seems quite good though!
Requesting Gravatar... Robby Dec 15, 2009 3:48 PM
# re: Live Preview jQuery Plugin
Wow! That's totally sweet!
Requesting Gravatar... I am me Dec 15, 2009 4:15 PM
# re: Live Preview jQuery Plugin
no WAY
Requesting Gravatar... Nathan Dec 15, 2009 5:17 PM
# re: Live Preview jQuery Plugin
Nice work! I have to say I do like jquery plugin demo pages that use the un-minified version so that I can quickly and easily copy peruse your bits.
Requesting Gravatar... Matthew M. Osborn Dec 15, 2009 5:32 PM
# re: Live Preview jQuery Plugin
It only works if you use lowercase ;) Just doing me job :) On the other hand this is really cool I actually had a Stackoverflow question looking for something just like this! stackoverflow.com/.../lightweight-rich-text-editor
Requesting Gravatar... Brian Chiasson Dec 15, 2009 6:06 PM
# re: Live Preview jQuery Plugin
That's a useful plugin. I did notice that if you type more text than can fit in that preview div that the preview text moves beyond the div.
Requesting Gravatar... haacked Dec 15, 2009 7:22 PM
# re: Live Preview jQuery Plugin
Thanks for the feedback and bug reports. I styled the DIV to be a specific height and width. I should just change the style so it auto expands vertically.
Requesting Gravatar... smaclell Dec 15, 2009 7:59 PM
# re: Live Preview jQuery Plugin
Interesting. Are you stripping out or blocking attributes? I noticed styling still worked which I thought was kinda fun.
Requesting Gravatar... Pita.O Dec 15, 2009 8:23 PM
# re: Live Preview jQuery Plugin
Hey Phil:
Nice piece.
Just found a bug, though:

br works when you use only the non-xhtml version or the html version with separating white-space (because of the residue of plain br, really); however <br/> (ie: xhtml br without spaces) does not work
Requesting Gravatar... haacked Dec 15, 2009 8:42 PM
# re: Live Preview jQuery Plugin
I pushed an update which fixes a few bugs. Pita. Newlines are automatically converted to BR tags (now that I fixed the bugs), so there's no need to type in BR tags.
Requesting Gravatar... farrio Dec 15, 2009 9:34 PM
# re: Live Preview jQuery Plugin
Hoho, readlly nice.

When did your start to play with jQuery, our MVC guy :P
Requesting Gravatar... Erik Dec 15, 2009 11:01 PM
# re: Live Preview jQuery Plugin
Very nice, you should block javascript attributes (events) though.

E.g.
Click Me!

Erik
Requesting Gravatar... Erik Dec 15, 2009 11:02 PM
# re: Live Preview jQuery Plugin
Here's the snippet I meant for the previous comment:

&lt;strong style="color:blue;text-decoration:underline;" onclick="alert('I am the injected script');"&gt;Click Me!&lt;/strong&gt;
Requesting Gravatar... Heine Dec 15, 2009 11:46 PM
# re: Live Preview jQuery Plugin
I'd recommend stripping certain attributes as well:

&lt;p onmouseover="javascript:alert(0)"&gt;Foobar&lt;/p&gt;

Such attributes are very easy to exploit when &lt;img&gt; is allowed:

&ltimg src="http://example.com/nofilehere.jpg" onerror="javascript:exploit()" /&gt;
Requesting Gravatar... Jhonmey Dec 15, 2009 11:58 PM
# re: Live Preview jQuery Plugin
中文
Requesting Gravatar... Thanigainathan Dec 16, 2009 1:32 AM
# re: Live Preview jQuery Plugin
Hi Sir,

Wonderful article !

Thanks,
Thani
Requesting Gravatar... Simon Dec 16, 2009 1:46 AM
# re: Live Preview jQuery Plugin
That's really nice.

It bears repeating that this javascript can easily be tampered with to "extend" the allowed tags, so if there was no server side validation, the usual script injection vulnerabilities could be exploited trivially.
Requesting Gravatar... Tomas Dec 16, 2009 3:21 AM
# re: Live Preview jQuery Plugin
Great job! Why don't you implement this right here in the comment field of your blog right away? =)
Requesting Gravatar... Ian Roke Dec 16, 2009 3:53 AM
# re: Live Preview jQuery Plugin
Nice plugin Phil but I noticed some jumping around when using the p tag on the first paragraph and also subsequent paragraphs in the preview area.

Can this be fixed?

Cheers, Ian.
Requesting Gravatar... Ira Dec 16, 2009 5:39 AM
# re: Live Preview jQuery Plugin
I have noticed a little glitch. The allowed tag list also offers css styling. This would allow me to place things on the page where you might not want them. Take the sample from below and use it in the demo, and I get my text at the upper left of the screen.


Hi there!




Just a small FYI. Great plugin though!
Requesting Gravatar... Ira Dec 16, 2009 5:41 AM
# re: Live Preview jQuery Plugin
Sorry, I thought the code tag would allow me to show the greater than and less thans. Here is the snip

&lt;p style="position:absolute;top:0;left:0;&gt;Hi there!&lt;/p&gt;
Requesting Gravatar... Javier Lozano Dec 16, 2009 6:16 AM
# re: Live Preview jQuery Plugin
Are you planning on providing an HtmlHelper for MVC or web control for WebForms?
Requesting Gravatar... RichB Dec 16, 2009 6:36 AM
# re: Live Preview jQuery Plugin
You should be using Google's Caja JavaScript-based sanitizer to do your HTML sanitization.
Requesting Gravatar... Chirag Dec 16, 2009 8:23 AM
# re: Live Preview jQuery Plugin
This is simple solution for a very common problem. Thanks! I have seen it in action on stackoverflow.
Requesting Gravatar... Portman Dec 16, 2009 8:56 AM
# re: Live Preview jQuery Plugin
Question: why did you go to the trouble of implementing a setTimeout interval to bind/unbind the keyup event? Why not just render the preview on every keyup, even if they occur more frequently than every 80ms?
Requesting Gravatar... Ghasem Dec 16, 2009 10:19 AM
# re: Live Preview jQuery Plugin
That's really nice.
Requesting Gravatar... Cipher Dec 16, 2009 1:54 PM
# re: Live Preview jQuery Plugin
I am with Portman. Whats the point of unbinding/binding and the updatingPreview variable, since javascript is single threaded anyways?
Requesting Gravatar... hackee Dec 16, 2009 4:45 PM
# re: Live Preview jQuery Plugin
there already has a lightweight but quite powerful jquery plugin doing almost the same things:

http://markitup.jaysalvat.com/

what's the diff?
Requesting Gravatar... hackee Dec 16, 2009 4:48 PM
# re: Live Preview jQuery Plugin
There already has a lightweight but quite powerful jquery plugin doing almost the same things:
markItUp!

what's the diff? Haacked:)
Requesting Gravatar... Željko Dec 16, 2009 5:29 PM
# re: Live Preview jQuery Plugin
strong!
Requesting Gravatar... tester Dec 17, 2009 12:06 AM
# re: Live Preview jQuery Plugin
FETT
Requesting Gravatar... Enrique Dec 17, 2009 6:54 AM
# re: Live Preview jQuery Plugin
Phil, when you write something on the first line and then you enter 2 ENTERs, a BR is created before the first line, on IE8, using IE8 on compatibility mode works fine.
Requesting Gravatar... Salman Farsi Dec 17, 2009 9:57 PM
# re: Live Preview jQuery Plugin
Hi,

Good Job.

Regards
Requesting Gravatar... lgm Dec 18, 2009 12:16 AM
# re: Live Preview jQuery Plugin
<br>????? phil, it's not xhtml!!!!
your plugin should convert <br/>. actually, it doesn't :'(
Requesting Gravatar... Elijah Manor Dec 29, 2009 3:52 AM
# re: Live Preview jQuery Plugin
Your plugin has made it to the

"18 Latest jQuery Plugins for Your Next Project" http://j.mp/7VqYpx

;)
Requesting Gravatar... rakeback Feb 03, 2010 6:05 AM
# re: Live Preview jQuery Plugin
This is a pretty cool plugin, great for testing jQuery code and it saves a lot of time. I tried markitup but it was a little too complicated and I couldn't get it to work, so this is perfect for me.
Requesting Gravatar... Benjamin "balupton" Lupton Mar 05, 2010 4:26 PM
# re: Live Preview jQuery Plugin
Got to agree with Heine, came up with the following with my own independent testing:

asdasd



Should really have a bold disclaimer that server side validation is still required and that it can make basic XSS exploits possible if the developer allows for the text field to have a value inserted via say a URL or saved query. As such a bad short url could make use of this, have the website insert the bad text into the textfield, and the unwary user mouses over the page, and bang their cookie details are sent away or whatnot, and some user is wondering they they just bought a bunch of stuff they didn't want.
Requesting Gravatar... Benjamin "balupton" Lupton Mar 05, 2010 4:28 PM
# re: Live Preview jQuery Plugin
Whoops, here is the post with lt and gt entities:

Got to agree with Heine, came up with the following with my own independent testing:
&lt; p onmouseover="alert('asd')" style="width:1000px; height:1000px; position:absolute; top:0; left:0;" &rt; asdasd &lt; /p &rt;

Should really have a bold disclaimer that server side validation is still required and that it can make basic XSS exploits possible if the developer allows for the text field to have a value inserted via say a URL or saved query. As such a bad short url could make use of this, have the website insert the bad text into the textfield, and the unwary user mouses over the page, and bang their cookie details are sent away or whatnot, and some user is wondering they they just bought a bunch of stuff they didn't want.
Requesting Gravatar... Flug Skycheck Jun 10, 2010 2:11 AM
# re: Live Preview jQuery Plugin
Well, pretty much what I was searching for. Very nice work!

What do you have to say?

(will show your gravatar)
Please add 3 and 8 and type the answer here: