正确的转义字符串的方法
[英]Proper way to escape a string
问题描述
I have created "edit comment" button in javascript for a website. 
我已经在JavaScript中为网站创建了“编辑评论”按钮。 Actually everything works fine but the string escapes do not work. 实际上,一切正常,但字符串转义不起作用。 I just tried to put into the edit input something like 我只是想在编辑输入中输入类似
<script> alert(user->id); </script>
And it shows the alert ! 它显示警报!
I tried to do some long escapes like these below but they do not change anything, the alert still appears: 我尝试执行以下类似的长时间转义,但它们没有改变任何内容,警报仍然出现:
newComment.replace("'","\'");
newComment.replace("\"","\\\"");
newComment.replace("(","\(");
newComment.replace(")","\)");
newComment.replace("<","\<");
newComment.replace(">","\>");
newComment.replace(";","\;");
I have also tried to use encodeURI , but it shows insantly the encoded comment which do not look good at all... 我也尝试过使用encodeURI ,但是它疯狂地显示了编码的注释,看起来一点也不好...
So what is the proper way to escape the strings now? 那么,现在转义字符串的正确方法是什么? I am reading dozens of similar topics but I don't get this at all... 我正在阅读数十个类似的话题,但我根本不明白这一点。
3 个解决方案
解决方案1
1 2015-08-26 12:32:37
but they do not change anything
newComment.replace("'","\'");
you're doing nothing with the result of the function. 您对函数的结果不做任何事情。 instead, do this 相反,这样做
newComment = newComment.replace("'","\'");
also, you can chain the replace functions together, but make sure you do something with the result, like assign it to a variable, otherwise you're effectively doing nothing 同样,您可以将replace函数链接在一起,但是要确保对结果做一些事情,例如将其分配给变量,否则实际上什么也没做
newComment = newComment.replace("'","\'").replace(...).replace(...);
解决方案2
0 2015-08-26 12:39:12
Escaping characters in a string is meant to be used when you have to code that character in the source of the application. 当必须在应用程序的源代码中编码该字符时,应使用转义字符。 It tells the interpreter/compiler that it's not supposed to treat that character like a normal one and not one that is supposed to abide by the syntax rules of the language. 它告诉解释器/编译器它不应该像一般字符一样对待该字符,而不是应该遵守该语言的语法规则的字符。 For example: 例如:
//the JavaScript engine will interpret this as an error and not execute the code. // JavaScript引擎会将其解释为错误,并且不会执行代码。
var newComment = 'test'';
//this does: //这样做:
var newComment = 'test\'';
the \\ tells the engine "hey don't use this to close the string, treat it as part of one." \\告诉引擎“嘿,不要用它来关闭字符串,把它当作字符串的一部分。” With the user entering in text at runtime, the engine already knows that it's not supposed to be interpreted as source, but as a runtime value, so there is no need to escape it in that scenario. 随着用户在运行时输入文本,引擎已经知道不应将其解释为源,而应将其解释为运行时值,因此在这种情况下无需对其进行转义。
a note about this code: 关于此代码的注释:
newComment.replace("'","\'");
newComment.replace("\"","\\\"");
newComment.replace("(","\(");
newComment.replace(")","\)");
newComment.replace("<","\<");
newComment.replace(">","\>");
newComment.replace(";","\;");
- Strings are immutable in JavaScript, so newComment won't ever change. 字符串在JavaScript中是不可变的,因此newComment永远不会更改。 you have to change and assign like
newComment = newComment.replace('','');您必须像newComment = newComment.replace('','');那样进行更改和分配newComment = newComment.replace('',''); - Each time you use the replace function it creates a new string, because strings are immutable. 每次使用replace函数时,它都会创建一个新字符串,因为字符串是不可变的。 You have to be careful of this, because depending on the scenario, that can create a lot of overhead. 您必须注意这一点,因为根据方案的不同,可能会产生大量开销。
解决方案3
0 2015-08-26 12:42:22
JavaScript strings are immutable. JavaScript字符串是不可变的。 So you have to save it to a variable after you call replace. 因此,您必须在调用replace之后将其保存到变量中。
at the moment you are just calling the replace function but nothing is being saved. 目前,您只是在调用replace函数,但没有保存任何内容。
Here is a quick jsfiddle to help explain: https://jsfiddle.net/s13rboe5/ 这是一个快速的jsfiddle来帮助解释: https ://jsfiddle.net/s13rboe5/
var a = "aaa" var b = "bbb" a.replace('a', 'b'); b = b.replace('b', 'a'); alert(a); alert(b);
also here is a link to help you understand immutability in javascript. 这也是一个链接,可帮助您了解javascript中的不变性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.