堆栈内存溢出
  简体   繁体   English

转义的 html 在 jquery html 方法中再次未转义

[英]Escaped html is again unescaped in jquery html method

 原文  2020-08-11 06:12:43       javascript/ jquery/ html-escape-characters

问题描述

I want to escape a title text in a div.我想转义 div 中的标题文本。 But when feeding the escaped text into html() call, its again un-escaping it.但是当将转义文本输入 html() 调用时,它再次取消转义它。 Here is the code这是代码

const title = $('<div/>').text('test <script>').html(); // test &amp;lt;script&amp;gt;
const span = `<span title="${title}">Hello world</span>`; // still correct
$('#test').html(span);

but now the generated html inside #span has again 'test <script';但是现在在#span 中生成的 html 再次具有 'test <script'; check the demo here:在此处查看演示: 

 // find elements var banner = $("#banner-message") var button = $("button") // handle click and add class button.on("click", () => { const title = $('<div/>').text('test <script>').html(); const span = `<span title="${title}">Hello world</span>`; $('#test').html(span); })
 body { background: #20262E; padding: 20px; font-family: Helvetica; } #banner-message { background: #fff; border-radius: 4px; padding: 20px; font-size: 25px; text-align: center; transition: all 0.2s; margin: 0 auto; width: 300px; } button { background: #0084ff; border: none; border-radius: 5px; padding: 8px 14px; font-size: 15px; color: #fff; } #banner-message.alt { background: #0084ff; color: #fff; margin-top: 40px; width: 200px; } #banner-message.alt button { background: #fff; color: #000; }
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <div id="banner-message"> <p id="test">Hello World</p> <button>Add title</button> </div>

  1. Click the button add title点击按钮添加标题
  2. Hover the element to check the title Hover 检查标题的元素

Expected: Show title as "test &lt;script&gt;"预期:将标题显示为“测试&lt;脚本&gt;”

Actual: Showing title as "test "实际:显示标题为“测试”

2 个解决方案

解决方案1
 1  2020-08-11 06:48:27

Escape the string a second time.再次转义字符串。 

 function escape_html(str) { return str.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'); } // find elements var banner = $("#banner-message") var button = $("button") // handle click and add class button.on("click", () => { let title = escape_html(escape_html('test <script>')); const span = `<span title="${title}">Hello world</span>`; $('#test').html(span); })
 body { background: #20262E; padding: 20px; font-family: Helvetica; } #banner-message { background: #fff; border-radius: 4px; padding: 20px; font-size: 25px; text-align: center; transition: all 0.2s; margin: 0 auto; width: 300px; } button { background: #0084ff; border: none; border-radius: 5px; padding: 8px 14px; font-size: 15px; color: #fff; } #banner-message.alt { background: #0084ff; color: #fff; margin-top: 40px; width: 200px; } #banner-message.alt button { background: #fff; color: #000; }
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <div id="banner-message"> <p id="test">Hello World</p> <button>Add title</button> </div>

解决方案2
 0  2020-08-11 06:37:30

If you cannot break the script tag, you can escape the tag on the server or in a tag如果不能破坏脚本标签,可以在服务器上或标签中转义该标签

Note the code here is abusing a deprecated xmp tag to show the issue because you CANNOT have </script> anywhere in your script unless the script is external to the page - so if you plan to show请注意,此处的代码滥用了已弃用的xmp标记来显示问题,因为除非脚本在页面外部,否则脚本中的任何位置都不能</script> - 所以如果您打算显示

<script>alert('Hello')</script>

then the page will not load correctly if the above string is not in xmp tags如果上面的字符串不在 xmp 标签中,则页面将无法正确加载

I have given TWO solutions based on original question and subsequent comment我根据原始问题和后续评论给出了两个解决方案

 $("button").on("click", function() { const $converter = $("<div/>").text($("#textFromServer").text()) // Expected: Show title as "test &lt;script&gt;" $("#test1").prop("title", $converter.html()) // want the title as: "test &amp;lt;script&amp;gt;" $("#test2").prop("title", $converter.html().replace(/&/g, "&amp;")) });
 body { background: #20262E; padding: 20px; font-family: Helvetica; } #banner-message { background: #fff; border-radius: 4px; padding: 20px; font-size: 25px; text-align: center; transition: all 0.2s; margin: 0 auto; width: 300px; } button { background: #0084ff; border: none; border-radius: 5px; padding: 8px 14px; font-size: 15px; color: #fff; } #banner-message.alt { background: #0084ff; color: #fff; margin-top: 40px; width: 200px; } #banner-message.alt button { background: #fff; color: #000; }
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <div id="banner-message"> <p id="test1">Hello World</p> <p id="test2">Hello World</p> <button>Add title</button> </div> <xmp style="display:none" id="textFromServer">test <script></xmp>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在某些浏览器中,由jquery .html()转义的转义的html字符未被转义 - Escaped html characters are being unescaped by jquery .html() in some browsers 带有转义html的Jquery - tag属性会自动转义 - Jquery - tag attribute with escaped html gets unescaped automatically rails 3 转义 html 标签在作为 JSON 使用时在浏览器中未转义 - rails 3 escaped html tags unescaped in browser when served as JSON jQuery不会解析.html()方法中的转义HTML - jQuery don't parse escaped HTML in .html() method jQuery:在Chrome中使用未转义的html填充textarea - jquery: Fill textarea with unescaped html in Chrome jQuery-添加常规HTML和转义HTML - JQuery - Add regular HTML along with escaped HTML 为什么 $('div:not(script)').contents().filter(function() 导致转义的 HTML 字符变为未转义? - Why is $('div :not(script)').contents().filter(function() causing escaped HTML characters to become unescaped? 如何获取未转义的JSON内容的HTML转义的JSON数据 - How can i get html-escaped JSON data of unescaped JSON content HTML中未转义的字符串 - Unescaped String in HTML 使用Jquery创建带有转义文本+ HTML的元素 - Use Jquery to create an element with escaped text + HTML
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM