在构建html时,在javascript中支持撇号的正确方法是什么?
[英]What is the correct way to support apostrophes in javascript when building up html?
问题描述
i have the following code: 
我有以下代码:
var name = "Joe O'Neal";
var row= [];
row.push(
"<td><input type='hidden' name='milestones[" + id + "].Name'
value='" + name + "' class='currentRowName' />
<span class='currentRowNameText'>" + name + "</span></td>")
but the issue is that i have a situation where there is an apostrophe in the name variable so it causes problems with this: 但问题是我有一个名称变量中有撇号的情况,所以它导致了这个问题:
value='" + name + "'
what is the correct way to write this to avoid any conflicts with apostrophes? 写这个的正确方法是什么,以避免与撇号发生冲突? In C#, i would do something like 在C#中,我会做类似的事情
value=\"" + name + "\"
but that doesn't seem to work in javascript 但这似乎不适用于JavaScript
2 个解决方案
解决方案1
7 已采纳 2014-06-11 14:17:34
What you're looking to do is sanitize your input. 您要做的是清理您的输入。 To do this, you might define a helper method which replaces any unsafe characters with either the Unicode equivalent or the HTML entity. 为此,您可以定义一个帮助器方法,用Unicode等效或HTML实体替换任何不安全的字符。 Not only is this sort of thing used for escaping quotes, but it can also help prevent things like XSS Attacks . 这种东西不仅用于转义引号,还可以帮助防止像XSS攻击这样的事情。
Short-term fix 短期修复
The following is adapted from Tom Gruner's answer from this other question on Escaping HTML strings with jQuery . 以下内容改编自Tom Gruner关于使用jQuery转义HTML字符串的另一个问题的答案 。
var entityMap = {
"&": "&",
"<": "<",
">": ">",
'"': '"',
"'": ''',
"/": '/'
};
function escapeHtml(string) {
return String(string).replace(/[&<>"'\/]/g, function (s) {
return entityMap[s];
});
}
And then to use this, you would do something like the following: 然后使用它,您将执行以下操作:
var name = "Joe O'Neal";
var safe_name = escapeHtml(name);
var row= [];
row.push(
"<td><input type='hidden' name='milestones[" + id + "].Name'
value='" + safe_name + "' class='currentRowName' />
<span class='currentRowNameText'>" + safe_name + "</span></td>");
Long-term fix 长期解决
If you find yourself doing this a lot, then it may be time to start using a template library which can do this automatically. 如果您发现自己这么做了,那么可能是时候开始使用可以自动执行此操作的模板库了。 One template library I recommend and find useful is the Google Closure Templates . 我推荐并发现有用的一个模板库是Google Closure模板 。 It is an enterprise-grade template library which will (by default) sanitize your HTML. 它是一个企业级模板库,默认情况下会清理您的HTML。
For more information on how Closure Templates help protect you, you can check out the page they have on security . 有关Closure模板如何帮助保护您的更多信息,您可以查看他们的安全页面。
解决方案2
4 2014-06-11 05:42:36
You can quote characters: 你可以引用字符:
var apostophe = '\''
or use HTML entities if intended to be used in an HTML document: 或者如果打算在HTML文档中使用HTML实体:
var apostrophe = ''';
var apostrophe = ''';
or use unicode: 或使用unicode:
var apostrophe = '\u0027';
So you can do: 所以你可以这样做:
var name = 'O\u0027Neal';
el.innerHTML = '<input value="' + name + '">';
Mapping of characters to one of the above (entity or Unicode value) is fairly simple using replace with a regular expression. 使用正则表达式替换时 ,将字符映射到上述之一(实体或Unicode值)非常简单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.