[英]Escaped html is again unescaped in jquery html method
I want to escape a title text in a div.我想转义 div 中的标题文本。 But when feeding the escaped text into html() call, its again un-escaping it.但是当将转义文本输入 html() 调用时,它再次取消转义它。 Here is the code这是代码
const title = $('<div/>').text('test <script>').html(); // test &lt;script&gt;
const span = `<span title="${title}">Hello world</span>`; // still correct
$('#test').html(span);
but now the generated html inside #span has again 'test <script';但是现在在#span 中生成的 html 再次具有 'test <script'; check the demo here:在此处查看演示:
// find elements var banner = $("#banner-message") var button = $("button") // handle click and add class button.on("click", () => { const title = $('<div/>').text('test <script>').html(); const span = `<span title="${title}">Hello world</span>`; $('#test').html(span); })
body { background: #20262E; padding: 20px; font-family: Helvetica; } #banner-message { background: #fff; border-radius: 4px; padding: 20px; font-size: 25px; text-align: center; transition: all 0.2s; margin: 0 auto; width: 300px; } button { background: #0084ff; border: none; border-radius: 5px; padding: 8px 14px; font-size: 15px; color: #fff; } #banner-message.alt { background: #0084ff; color: #fff; margin-top: 40px; width: 200px; } #banner-message.alt button { background: #fff; color: #000; }
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <div id="banner-message"> <p id="test">Hello World</p> <button>Add title</button> </div>
Expected: Show title as "test <script>"预期:将标题显示为“测试<脚本>”
Actual: Showing title as "test "实际:显示标题为“测试”
Escape the string a second time.再次转义字符串。
function escape_html(str) { return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>'); } // find elements var banner = $("#banner-message") var button = $("button") // handle click and add class button.on("click", () => { let title = escape_html(escape_html('test <script>')); const span = `<span title="${title}">Hello world</span>`; $('#test').html(span); })
body { background: #20262E; padding: 20px; font-family: Helvetica; } #banner-message { background: #fff; border-radius: 4px; padding: 20px; font-size: 25px; text-align: center; transition: all 0.2s; margin: 0 auto; width: 300px; } button { background: #0084ff; border: none; border-radius: 5px; padding: 8px 14px; font-size: 15px; color: #fff; } #banner-message.alt { background: #0084ff; color: #fff; margin-top: 40px; width: 200px; } #banner-message.alt button { background: #fff; color: #000; }
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <div id="banner-message"> <p id="test">Hello World</p> <button>Add title</button> </div>
If you cannot break the script tag, you can escape the tag on the server or in a tag如果不能破坏脚本标签,可以在服务器上或标签中转义该标签
Note the code here is abusing a deprecated xmp
tag to show the issue because you CANNOT have </script>
anywhere in your script unless the script is external to the page - so if you plan to show请注意,此处的代码滥用了已弃用的xmp
标记来显示问题,因为除非脚本在页面外部,否则脚本中的任何位置都不能有</script>
- 所以如果您打算显示
<script>alert('Hello')</script>
then the page will not load correctly if the above string is not in xmp tags如果上面的字符串不在 xmp 标签中,则页面将无法正确加载
I have given TWO solutions based on original question and subsequent comment我根据原始问题和后续评论给出了两个解决方案
$("button").on("click", function() { const $converter = $("<div/>").text($("#textFromServer").text()) // Expected: Show title as "test <script>" $("#test1").prop("title", $converter.html()) // want the title as: "test &lt;script&gt;" $("#test2").prop("title", $converter.html().replace(/&/g, "&")) });
body { background: #20262E; padding: 20px; font-family: Helvetica; } #banner-message { background: #fff; border-radius: 4px; padding: 20px; font-size: 25px; text-align: center; transition: all 0.2s; margin: 0 auto; width: 300px; } button { background: #0084ff; border: none; border-radius: 5px; padding: 8px 14px; font-size: 15px; color: #fff; } #banner-message.alt { background: #0084ff; color: #fff; margin-top: 40px; width: 200px; } #banner-message.alt button { background: #fff; color: #000; }
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <div id="banner-message"> <p id="test1">Hello World</p> <p id="test2">Hello World</p> <button>Add title</button> </div> <xmp style="display:none" id="textFromServer">test <script></xmp>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.