尽管使用 htmlspecialchars 对单引号进行编码,JavaScript 仍然抱怨这些引号需要在 function 调用中转义
[英]Despite single quotes being encoded using htmlspecialchars, JavaScript is still complaining that these quotes need to be escaped in the function call
问题描述
Something strange is occurring and I'm stumped.
发生了一些奇怪的事情,我很困惑。
I have a link that looks basically like this:我有一个基本上看起来像这样的链接:
<a href="javascript:uploadVariantPicture('size:'test2'');">Link</a>
As you can see, I'm calling function uploadVariantPicture with parameter "size:'test2'".如您所见,我使用参数“size:'test2'”调用 function uploadVariantPicture。
However, when I actually click the link, JavaScript complains that the two encoded single quotes aren't being escaped.但是,当我实际单击该链接时, JavaScript 抱怨两个编码的单引号没有被转义。 I'm getting the following error:我收到以下错误:
SyntaxError: Unexpected identifier 'test2'.
If I decode the two encoded single quotes and escape them using a backslash, then the function call succeeds.如果我解码两个编码的单引号并使用反斜杠对其进行转义,则 function 调用成功。 But the problem is I need it encoded.但问题是我需要对其进行编码。 I cannot leave it unencoded and escape the quotes.我不能让它不编码并转义引号。 This won't work for my situation.这不适用于我的情况。
Any help is greatly appreciated.任何帮助是极大的赞赏。 I'm super confused.我超级困惑。
2 个解决方案
解决方案1
2 2021-01-10 21:58:35
HTML character entities and escapes are replaced by the HTML parser when parsing source.在解析源代码时,HTML 字符实体和转义被 HTML 解析器替换。 For quotation marks, it allows inclusion of the same kind of quotation mark in an HTML attribute that is being used to quote the attribute value in source.对于引号,它允许在用于引用源中的属性值的 HTML 属性中包含相同类型的引号。
EG例如
<element attribute=""">
<element attribute='''>
in source would produce attribute values of " (double quote) and ' (single quote) respectively, despite being the delimters used to quote the attribute value in HTML source.在源代码中将分别产生" (双引号)和' (单引号)的属性值,尽管是用于引用 HTML 源代码中的属性值的分隔符。
Hence因此
<a href="javascript:uploadVariantPicture('size:'test2'');">Link</a>
will produce an href attribute value of将产生一个href属性值
javascript:uploadVariantPicture('size:'test'');
after removal of the outer double quotes by the HTML parser.在 HTML 解析器删除外部双引号后。
Options could include escaping double quotes (HTML " ) inside the href value appropriately (it depends on the syntax accepted by uploadVariantPicture ), including backslash escapes before the single quotes as mentioned in the post, or not using the javascript: pseudo protocol at all, in favor of adding an event listener in JavaScript.选项可以包括 escaping 双引号 (HTML " ) 在href值内适当地(这取决于uploadVariantPicture接受的语法),包括帖子中提到的单引号之前的反斜杠转义,或者不使用javascript:伪协议,赞成在 JavaScript 中添加事件监听器。
Not using javascript: pseudo protocol is highly recommended - basically it's a hold over from HTML3.不使用javascript:强烈建议使用伪协议 - 基本上它是 HTML3 的保留。
解决方案2
1 已采纳 2021-01-10 21:16:15
Consider attaching an event handler properly using JavaScript instead so you don't have to worry about escaping issues, and so that you don't have to rely on the pollution of the global object for the script to work:考虑使用 JavaScript 正确附加事件处理程序,这样您就不必担心 escaping 问题,并且您不必依赖全局 ZA8CFDE6331BD59EB2AC96F8911C4B66Z 的污染来运行脚本:
const uploadVariantPicture = (arg) => console.log(arg); document.querySelector('a').addEventListener('click', () => { uploadVariantPicture("size:'test2'"); });
<a>Link</a>
I can't think of any situations in which an inline handler would be preferable to addEventListener , unless you were deliberately trying to exploit an XSS vulnerability.我想不出内联处理程序比addEventListener更可取的任何情况,除非您故意尝试利用 XSS 漏洞。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.