How do I change the text of a span element using JavaScript?
If I have a span, say:
<span id="myspan"> hereismytext </span>
How do I use JavaScript to change "hereismytext" to "newtext"?
Solution 1:
For modern browsers you should use:
document.getElementById("myspan").textContent="newtext";
While older browsers may not know textContent
, it is not recommended to use innerHTML
as it introduces an XSS vulnerability when the new text is user input (see other answers below for a more detailed discussion):
//POSSIBLY INSECURE IF NEWTEXT BECOMES A VARIABLE!!
document.getElementById("myspan").innerHTML="newtext";
Solution 2:
Using innerHTML is SO NOT RECOMMENDED. Instead, you should create a textNode. This way, you are "binding" your text and you are not, at least in this case, vulnerable to an XSS attack.
document.getElementById("myspan").innerHTML = "sometext"; //INSECURE!!
The right way:
span = document.getElementById("myspan");
txt = document.createTextNode("your cool text");
span.appendChild(txt);
For more information about this vulnerability: Cross Site Scripting (XSS) - OWASP
Edited nov 4th 2017:
Modified third line of code according to @mumush suggestion: "use appendChild(); instead".
Btw, according to @Jimbo Jonny I think everything should be treated as user input by applying Security by layers principle. That way you won't encounter any surprises.
Solution 3:
EDIT: This was written in 2014. You probably don't care about IE8 anymore and can forget about using innerText
. Just use textContent
and be done with it, hooray.
If you are the one supplying the text and no part of the text is supplied by the user (or some other source that you don't control), then setting innerHTML
might be acceptable:
// * Fine for hardcoded text strings like this one or strings you otherwise
// control.
// * Not OK for user-supplied input or strings you don't control unless
// you know what you are doing and have sanitized the string first.
document.getElementById('myspan').innerHTML = 'newtext';
However, as others note, if you are not the source for any part of the text string, using innerHTML
can subject you to content injection attacks like XSS if you're not careful to properly sanitize the text first.
If you are using input from the user, here is one way to do it securely while also maintaining cross-browser compatibility:
var span = document.getElementById('myspan');
span.innerText = span.textContent = 'newtext';
Firefox doesn't support innerText
and IE8 doesn't support textContent
so you need to use both if you want to maintain cross-browser compatibility.
And if you want to avoid reflows (caused by innerText
) where possible:
var span = document.getElementById('myspan');
if ('textContent' in span) {
span.textContent = 'newtext';
} else {
span.innerText = 'newtext';
}
Solution 4:
document.getElementById('myspan').innerHTML = 'newtext';
Solution 5:
I use Jquery
and none of the above helped, I don't know why but this worked:
$("#span_id").text("new_value");