堆栈内存溢出
  简体   繁体   English

如何防止 Showdown 删除脚本标签?

[英]How to prevent Showdown from removing script tags?

 原文  2021-01-09 18:08:10       javascript/ showdown

问题描述

I was testing out something and tried to put this into Showdown:我正在测试一些东西并试图将它放入摊牌:

<script>alert("hacked!");</script>

Of course it didn't alert anything (Showdown is made to protect against those sorts of things), but the <script> tag gets removed completely.当然它没有提醒任何东西(摊牌是为了防止这些事情发生),但是<script>标记被完全删除了。 I am using this for a user description, so the script tag (and it's contents) should be visible, just not executed.我将其用于用户描述,因此脚本标签(及其内容)应该是可见的,只是未执行。

I was thinking that most likely I would need to change some built in Showdown code but couldn't find any place in it's code that I should change to only show the script tags but not execute them.我在想我很可能需要更改一些内置的 Showdown 代码,但在它的代码中找不到任何我应该更改为仅显示脚本标签但不执行它们的地方。

Does anyone know any existing options or some changes to the source code to show this?有谁知道任何现有的选项或源代码的一些更改来显示这一点?

2 个解决方案

解决方案1
 0  2021-01-09 18:23:21

I found this place in the code and it is responsible for hashing HTML tags such as: <script> or </script> .我在代码中找到了这个地方,它负责散列 HTML 标签,例如: <script></script>

https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/subParsers/makehtml/hashHTMLBlocks.js https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/subParsers/makehtml/hashHTMLBlocks.js

I think you should only delete lines 329 in the file我认为您应该只删除文件中的第 329 行

https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/converter.js https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/converter.js

And everything should work.一切都应该工作。

解决方案2
 0 已采纳  2021-01-11 19:34:16

I found the answer: I just needed to replace the start and end of the <script> tags with something visible, like &lt;script and &lt;/script&gt;我找到了答案:我只需要将<script>标记的开头和结尾替换为可见的内容,例如&lt;script&lt;/script&gt;

This is the code I used:这是我使用的代码:

myshowdownhtml.split("<script").join("&lt;script").split("<"+"/script>").join("&lt;/script&gt;");

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何防止jquery删除<script> tags - How to prevent jquery from removing the <script> tags 如何防止文本中的脚本标记执行? - How to prevent script tags in text from executing? angularjs如何阻止内联脚本标记执行? - How does angularjs prevent inline script tags from executing? 如何防止TinyMCE将CDATA添加到<script>标签和注释<style>标签? - How can I prevent TinyMCE from adding CDATA to <script> tags and from commenting out <style> tags? 如何防止Lightbox_me脚本删除浏览器滚动条? - How can I prevent the Lightbox_me script from removing the browser scroll bar? 使用 JS 正则表达式从 html 中删除所有脚本标签 - Removing all script tags from html with JS Regular Expression 如何防止 TinyMCE 5 删除 \\r\\n - How to prevent TinyMCE 5 from removing \r\n 防止$ .pjax将动态脚本标签移动到头部 - Prevent $.pjax from moving dynamic script tags to the head section 如何防止此正则表达式代码删除句点? - How to prevent this regex code from removing the period? 如何在从raw-loader导入文本并使用showdown格式化时保留VueJS中的换行符 - How to preserve newlines in VueJS when importing text from raw-loader and formatted using showdown
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM