在HTML链接中使用javascript变量时的正确语法
[英]Proper syntax when using a javascript variable in an HTML link
问题描述
I am simply trying to combine a simple html (php) link and include a JS variable. 
我只是想结合一个简单的html(php)链接并包含一个JS变量。 This is what I have but the syntax is incorrect. 这是我的,但语法不正确。 Suggestions? 建议?
$.each(playlist, function(index, val) {
playlistHtml += "<form name="form" method="post" action="../_inc/process_track_move.php?track="+val.sources[0].title"
});
3 个解决方案
解决方案1
1 2017-07-03 03:44:42
A suggestion along with the answer, Answer: you need to use both single and double quotes. 一个建议和答案,答案:你需要使用单引号和双引号。 Suggestion: use a variable to take the link out of the logic. 建议:使用变量将链接从逻辑中取出。 It's easier to see and edit this way. 以这种方式查看和编辑更容易。 This is not required, but makes it more readable when you come back to it. 这不是必需的,但是当你回到它时它会更具可读性。
This example is based on what you provided. 此示例基于您提供的内容。
$.each(playlist, function(index, val) {
var baseLink = "../_inc/process_track_move.php?rack=";
playlistHtml +=
"<form name='form' method='post'
action='" + baseLink + val.sources[0].title + "'";
});
This would be assuming you wanted to close the form link and just didn't include. 这可能是假设您想要关闭表单链接而不包括。
$.each(playlist, function(index, val) {
var baseLink = "../_inc/process_track_move.php?rack=";
playlistHtml +=
"<form name='form' method='post'
action='" + baseLink + val.sources[0].title + "'></form>";
});
解决方案2
1 2017-07-03 03:44:59
You should single quotes inside the double quotes, like 你应该在双引号内单引号,比如
$.each(playlist, function(index, val) {
playlistHtml += "<form name='form' method='post' action=' ../_inc/process_track_move.php?track='+val.sources[0].title"
});
解决方案3
1 已采纳 2017-07-03 03:54:54
You generally should not be assembling raw HTML manually in JavaScript; 您通常不应该在JavaScript中手动组装原始HTML; it's easy to get wrong. 这很容易出错。 In your case, even if your code worked, it would be vulnerable to encoding errors and XSS security issues because it doesn't properly encode the attribute value. 在您的情况下,即使您的代码有效,它也很容易受到编码错误和XSS安全问题的影响,因为它没有正确编码属性值。
The safer choice is to use the DOM API, a framework, or a default-safe templating engine to create the elements you need, which will automatically care care of encoding attribute values. 更安全的选择是使用DOM API,框架或默认安全模板引擎来创建您需要的元素,这将自动关注编码属性值。
Here's how we could use the DOM API instead of raw HTML for your case. 以下是我们如何在您的案例中使用DOM API而不是原始HTML。
var playlist = document.createElement('div'); // or document.querySelector('#playlist')?
$.each(playlist, function(index, val) {
var form = document.createElement('form');
form.setAttribute('name', 'form');
form.setAttribute('method', 'post');
form.setAttribute('action', '../_inc/process_track_move.php?track=' + val.sources[0].title);
playlist.appendChild(form);
});
playlistHtml += playlist.innerHTML;
You can add the created elements directly to the document, or convert them to an HTML string like you were originally using. 您可以将创建的元素直接添加到文档中,也可以将它们转换为最初使用的HTML字符串。
If you really must use raw HTML concatenation, you can't just + a text string on to your HTML, you must encode it as HTML first to avoid security vulnerabilities or errors. 如果你真的必须使用原始的HTML拼接,你不能只+到您的HTML文本字符串,则必须对其进行编码为HTML第一,以避免安全漏洞或错误。 At minimum, that means using a function like this: 至少,这意味着使用这样的函数:
function textToHtml(s) {
return s
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''');
}
You must also escape the " s inside your string as \\" for them to parse correctly. 您还必须将字符串中的" s "转义为\\"以便它们正确解析。 This gives us: 这给了我们:
playlistHtml += "<form name=\"form\" method=\"post\" action=\"../_inc/process_track_move.php?track=" + textToHtml(val.sources[0].title) + "\"></form>";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.