如何在 html 中禁用内联 javascript?
[英]How to disable inline javascript in html?
问题描述
I have html entered by user that is put in an iframe.
我将用户输入的 html 放入 iframe 中。 The purpose is to suppress all inline javascript in the html.目的是抑制 html 中的所有内联 javascript。 Have thought about Regexp to remove all scripts, but it caught only <script> ... </script> , but no <txt onload='..javascript...曾想过使用 Regexp 删除所有脚本,但它只捕获了<script> ... </script> ,但没有捕获<txt onload='..javascript...
This is the regex: /<\\s*script[^>]*>[^<]*<\\s*\\/\\s*script\\s*>/gi这是正则表达式: /<\\s*script[^>]*>[^<]*<\\s*\\/\\s*script\\s*>/gi
How can I block all js in the entered html?如何阻止输入的 html 中的所有 js?
1 个解决方案
解决方案1
1 已采纳 2020-03-28 10:32:52
Just set sandbox="" in the iframe tag and that won't allow scripts to execute.只需在 iframe 标记中设置sandbox=""并且不允许脚本执行。
To figure it out you can add the sandbox attribute in this demo https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe , then run it and open your console.要弄清楚,您可以在此演示https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe 中添加sandbox属性,然后运行它并打开您的控制台。
Chrome displays this message: Chrome 显示此消息:
Blocked script execution in '' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.