Live Preview jQuery Plugin

Dec 15, 2009 code suggest edit

Many web applications (such as this blog) allow users to enter HTML as a comment. For security reasons, the set of allowed tags is tightly constrained by logic running on the server. Because of this, it’s helpful to provide a preview of what the comment will look like as the user is typing the comment.

That’s exactly what my live preview jQuery plugin does.

See it in action

This is the first jQuery Plugin I’ve written, so I welcome feedback. I was in the process of converting a bunch of JavaScript code in Subtext to make use of jQuery, significantly reducing the amount of hand-written code in the project. Needless to say, it was a lot of fun. I decided to take our existing live preview code and completely rewrite it using JavaScript.

All you need for the HTML is an input, typically a TEXTAREA and an element to use as the preview, typically a DIV

<textarea class="source"></textarea>

<label>Preview Area</label>
<div class="preview"></div>

And the following script demonstrates one way to hook up the preview to the textarea.

```csharp $(function() { $(‘textarea.source’).livePreview({ previewElement: $(‘div.preview’), allowed

Found a typo or mistake in the post? suggest edit

Comments

36 responses

ShakeIt • December 15th, 2009
That´s great, good job! :-)
Damon Stephenson • December 15th, 2009
Hello
 Boo Hello Boo Boo argh
Seems a little buggy so far. The last boo and argh are em'd :/
Seems quite good though!
Robby • December 15th, 2009
Wow! That's totally sweet!
I am me • December 15th, 2009
no WAY
Nathan • December 15th, 2009
Nice work! I have to say I do like jquery plugin demo pages that use the un-minified version so that I can quickly and easily ~~copy~~ peruse your bits.
Matthew M. Osborn • December 15th, 2009
It only works if you use lowercase ;) Just doing me job :) On the other hand this is really cool I actually had a Stackoverflow question looking for something just like this! stackoverflow.com/.../lightweight-rich-text-editor
Brian Chiasson • December 15th, 2009
That's a useful plugin. I did notice that if you type more text than can fit in that preview div that the preview text moves beyond the div.
haacked • December 15th, 2009
Thanks for the feedback and bug reports. I styled the DIV to be a specific height and width. I should just change the style so it auto expands vertically.
smaclell • December 15th, 2009
Interesting. Are you stripping out or blocking attributes? I noticed styling still worked which I thought was kinda fun.
Pita.O • December 15th, 2009
Hey Phil:
Nice piece.
Just found a bug, though:
br works when you use only the non-xhtml version or the html version with separating white-space (because of the residue of plain br, really); however (ie: xhtml br without spaces) does not work
haacked • December 15th, 2009
I pushed an update which fixes a few bugs. Pita. Newlines are automatically converted to BR tags (now that I fixed the bugs), so there's no need to type in BR tags.
farrio • December 15th, 2009
Hoho, readlly nice.
When did your start to play with jQuery, our MVC guy :P
Erik • December 15th, 2009
Very nice, you should block javascript attributes (events) though.
E.g.
Click Me!
Erik
Erik • December 15th, 2009
Here's the snippet I meant for the previous comment:
Click Me!
Heine • December 15th, 2009
I'd recommend stripping certain attributes as well:
Foobar
Such attributes are very easy to exploit when <img> is allowed:
&ltimg src="http://example.com/nofilehere.jpg" onerror="javascript:exploit()" />
Jhonmey • December 15th, 2009
中文
Thanigainathan • December 15th, 2009
Hi Sir,
Wonderful article !
Thanks,
Thani
Simon • December 15th, 2009
That's really nice.
It bears repeating that this javascript can easily be tampered with to "extend" the allowed tags, so if there was no server side validation, the usual script injection vulnerabilities could be exploited trivially.
Tomas • December 15th, 2009
Great job! Why don't you implement this right here in the comment field of your blog right away? =)
Ian Roke • December 15th, 2009
Nice plugin Phil but I noticed some jumping around when using the p tag on the first paragraph and also subsequent paragraphs in the preview area.
Can this be fixed?
Cheers, Ian.
Ira • December 15th, 2009
I have noticed a little glitch. The allowed tag list also offers css styling. This would allow me to place things on the page where you might not want them. Take the sample from below and use it in the demo, and I get my text at the upper left of the screen.
Hi there!

Just a small FYI. Great plugin though!
Ira • December 15th, 2009
Sorry, I thought the code tag would allow me to show the greater than and less thans. Here is the snip
Hi there!
Javier Lozano • December 15th, 2009
Are you planning on providing an HtmlHelper for MVC or web control for WebForms?
RichB • December 15th, 2009
You should be using Google's Caja JavaScript-based sanitizer to do your HTML sanitization.
Chirag • December 15th, 2009
This is simple solution for a very common problem. Thanks! I have seen it in action on stackoverflow.
Portman • December 15th, 2009
Question: why did you go to the trouble of implementing a setTimeout interval to bind/unbind the keyup event? Why not just render the preview on every keyup, even if they occur more frequently than every 80ms?
Ghasem • December 15th, 2009
That's really nice.
Cipher • December 16th, 2009
I am with Portman. Whats the point of unbinding/binding and the updatingPreview variable, since javascript is single threaded anyways?
hackee • December 16th, 2009
There already has a lightweight but quite powerful jquery plugin doing almost the same things:
markItUp!
what's the diff? Haacked:)
Željko • December 16th, 2009
strong!
tester • December 16th, 2009
FETT
Enrique • December 16th, 2009
Phil, when you write something on the first line and then you enter 2 ENTERs, a BR is created before the first line, on IE8, using IE8 on compatibility mode works fine.
Salman Farsi • December 17th, 2009
Hi,
Good Job.
Regards
lgm • December 17th, 2009
 ????? phil, it's not xhtml!!!!
your plugin should convert . actually, it doesn't :'(
Elijah Manor • December 28th, 2009
Your plugin has made it to the
"18 Latest jQuery Plugins for Your Next Project" http://j.mp/7VqYpx
;)
Benjamin "balupton" • March 5th, 2010
Got to agree with Heine, came up with the following with my own independent testing:

asdasd

Should really have a bold disclaimer that server side validation is still required and that it can make basic XSS exploits possible if the developer allows for the text field to have a value inserted via say a URL or saved query. As such a bad short url could make use of this, have the website insert the bad text into the textfield, and the unwary user mouses over the page, and bang their cookie details are sent away or whatnot, and some user is wondering they they just bought a bunch of stuff they didn't want.