[英]Escaping apostrophes in HTML with Spring
I have an error in some legacy code and while trying to fix it I found a behaviour that I do not understand. 我在一些遗留代码中有错误,在尝试修复它时,我发现了一个我不理解的行为。 The application is a Spring MVC application that uses JSP and JSTL. 该应用程序是一个使用JSP和JSTL的Spring MVC应用程序。 The following is a simplified example that reproduces the behaviour I am talking about. 以下是再现我正在谈论的行为的简化示例。 The code of my controller is: 我的控制器的代码是:
@GetMapping("/users/thing")
public ModelAndView thing() {
ModelAndView model = new ModelAndView("users/thing");
String stringWithApostrophe = "Any'String";
String escapedWithHtmlUtils = HtmlUtils.htmlEscape(stringWithApostrophe);
model.addObject("stringWithApostrophe", stringWithApostrophe);
model.addObject("escapedWithHtmlUtils", escapedWithHtmlUtils);
return model;
}
The variable stringWithApostrophe
has an apostrophe character within it, and then I escape it and store the escaped value in other variable. 变量stringWithApostrophe
有一个撇号字符,然后我将其转义并将转义值存储在其他变量中。 After that I add both of them to the model. 之后,我将它们都添加到模型中。
My view is like this: 我的观点是这样的:
<p><a onClick="clicked('${stringWithApostrophe}');" href="#">stringWithApostrophe: ${stringWithApostrophe}</a></p>
<p><a onClick="clicked('${escapedWithHtmlUtils}');" href="#">escapedWithHtmlUtils: ${escapedWithHtmlUtils}</a></p>
<script type="text/javascript">
function clicked(text){
console.log(text);
}
</script>
If I press CTRL+U
in my browser to see the source of the page I see the following: 如果我在浏览器中按CTRL+U
查看页面的来源,我会看到以下内容:
<p><a onClick="clicked('Any'String');" href="#">stringWithApostrophe: Any'String</a></p>
<p><a onClick="clicked('Any'String');" href="#">escapedWithHtmlUtils: Any'String</a></p>
...which looks good, and renders like this: ...看起来不错,并呈现如下:
...which is what I expected too. ......这也是我的期望。 When I click the first link it fails also as expected, the browser console shows the error message Syntax error: missing ) after argument list
because the unescaped apostrophe broke the javascript code. 当我单击第一个链接时,它也会按预期失败,浏览器控制台会Syntax error: missing ) after argument list
显示错误消息Syntax error: missing ) after argument list
因为未转义的撇号打破了javascript代码。
However, although I expected the second link to work, it also fails, with the same error message . 但是,尽管我希望第二个链接起作用, 但它也会失败,并显示相同的错误消息 。 Why is this the case? 为什么会这样? I cannot understand it, the apostrophe is converted into an html entity as CTRL+U
shows, so it should not broke the javascript. 我无法理解,撇号被转换为CTRL+U
显示的html实体,因此它不应该破坏javascript。 I've been looking in the Internet about possible causes for this, but found nothing. 我一直在互联网上寻找可能的原因,但一无所获。 What am I missing? 我错过了什么?
Update : I've uploaded the example project I used to reproduce the error to Github, in case it is useful. 更新 :我已经上传了我用来向Github重现错误的示例项目 ,以防它有用。
As noted in your question, the apostrophe is successfully converted into an HTML entity reference by the HtmlUtils class to become '
正如你的问题中所提到的,撇号被HtmlUtils类成功转换为HTML实体引用,以成为'
. 。 The behavior you described is occurring because the HTML parsers resolve entity references in attribute values before content is handed off to the JavaScript engine. 您所描述的行为正在发生,因为HTML解析器在将内容传递给JavaScript引擎之前解析属性值中的实体引用。 The entity in the onclick(...)
statement is therefore decoded into the original character '
as shown below. 在实体onclick(...)
因此语句解码为原始字符'
,如下图所示。
onClick="clicked('Any'String');"
=> onClick="clicked('Any'String');"
=> onClick="clicked('Any'String');"
. 。
Therefore to the JS engine, the two onClick(...)
statements are equivalent. 因此,对于JS引擎,两个onClick(...)
语句是等价的。
See this related discussion discussion for more information on the issue. 有关该问题的更多信息,请参阅此相关讨论讨论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.