Mahfuzur Rahman3,204 Points
.text(title) but .html(content)
why are we using $('#blogContentPreview').html(content) instead of $('#blogContentPreview').text(content)
Steven Parker140,563 Points
The "html" method allows the content to contain markup tags (such as the "<strong>" shown in the example), but the "text" method does not. If you were loading the content with "text", then the "<strong>" tag would show as-is instead of causing the area it encloses to be emphasized.
If you wanted to allow markup to be used in the title, you could substitute the "html" method there also.
A little experimentation might be worth more than any explanation!
It's worth noting that the use of html() to display html encoded content exposes a security vulnerability.
<script>alert('You've been hacked!')</script>
into the content input, then pressing 'Preview'.
You should see the alert pop up on screen. This occurs because we are blindly trusting the user data, and not attempting to sanitize the content they provide. This vulnerability could expose our site to attacks such as Cross-Site Scripting that have much bigger consequences than just an annoying alert box popping up.
Check out Stored Cross-Site Scripting!
I think you misunderstood.
Yes, in this exact scenario, this isn't a big risk because the application does not have a backend. The data is not at risk of being transmitted to a database or server somewhere.
I was merely attempting to point out that every developer, even beginner developers, should know that reflecting user data in the browser without performing any sanitization is dangerous. Security vulnerabilities such as this one are rarely mentioned to beginner developers, and often ignored by mid-level and senior developers.
Plus, it's fun to learn how to break your own site!