[英]how to escape JavaScript code in HTML
I have some addHtml
JavaScript function in my JS code. 我的JS代码中有一些
addHtml
JavaScript函数。 I wonder how to escape HTML/JS code properly. 我想知道如何正确地逃避HTML / JS代码。 Basically, what I am trying right now is:
基本上,我现在正在尝试的是:
addHtml("<a onclick=\"alert(\\\"Hello from JS\\\")\">click me</a>")
However, that doesn't work. 但是,这不起作用。 It adds the
a
element but it doesn't do anything when I click it. 它添加了
a
元素,但是当我点击它时它什么都不做。
I don't want to replace all "
by '
as a workaround. (If I do, it works.) 我不想将所有
"
by '
替换为解决方法。(如果我这样做,它可以工作。)
I wonder how to escape HTML/JS code properly.
我想知道如何正确地逃避HTML / JS代码。
To insert string content into an HTML event handler attribute: 要将字符串内容插入HTML事件处理程序属性:
(1) Encode it as a JavaScript string literal: (1)将其编码为JavaScript字符串文字:
alert("Hello \"world\"");
(2) Encode the complete JavaScript statement as HTML: (2)将完整的JavaScript语句编码为HTML:
<a onclick="alert("Hello \"world\""">foo</a>
And since you seem to be including that HTML inside a JavaScript string literal again, you have to JS-encode it again : 而且因为你似乎是包括 HTML一个JavaScript字符串字面量再次里面,你必须再次 JS编码它:
html= "<a onclick=\"alert("Hello \\"world\\""\">foo<\/a>";
Notice the double-backslashes and also the <\\/
, which is necessary to avoid a </
sequence in a <script>
block, which would otherwise be invalid and might break. 注意双反斜杠和
<\\/
,这是避免<script>
块中的</
sequence所必需的,否则它将无效并且可能会中断。
You can make this less bad for yourself by mixing single and double quotes to cut down on the amount of double-escaping going on, but you can't solve it for the general case; 你可以通过混合单引号和双引号来减少双重转义的数量,从而减少对自己的影响,但是对于一般情况你无法解决它; there are many other characters that will cause problems.
还有许多其他角色会导致问题。
All this escaping horror is another good reason to avoid inline event handler attributes . 所有这些逃避恐怖是避免内联事件处理程序属性的另一个好理由。 Slinging strings full of HTML around sucks.
抛出充满HTML的字符串。 Use DOM-style methods, assigning event handlers directly from JavaScript instead:
使用DOM样式的方法,直接从JavaScript分配事件处理程序:
var a= document.createElement('a');
a.onclick= function() {
alert('Hello from normal JS with no extra escaping!');
};
My solution would be 我的解决方案是
addHtml('<a onclick="alert(\'Hello from JS\')">click me</a>')
I typically use single quotes in Javascript strings, and double quotes in HTML attributes. 我通常在Javascript字符串中使用单引号,在HTML属性中使用双引号。 I think it's a good rule to follow.
我认为这是一个很好的规则。
How about this? 这个怎么样?
addHtml("<a onclick=\"alert("Hello from JS")\">click me</a>");
It worked when I tested in Firefox, at any rate. 无论如何,我在Firefox中进行测试时都能正常工作。
addHtml("<a onclick='alert(\"Hello from JS\")'>click me</a>")
What does the final HTML rendered in the browser look like ? 浏览器中呈现的最终HTML是什么样的? I think the three slashes might be causing an issue .
我认为这三个斜线可能会导致问题。
The problem is probably this... 问题可能是这个......
As your code is now, it will add this to the HTML 正如您的代码现在,它将添加到HTML
<a onclick="alert("Hello from Javascript")"></a>
This is assuming the escape slashes will all be removed properly. 这是假设所有逃逸斜线都将被正确删除。
The problem is that the alert can't handle the " inside it... you'll have to change those quotes to single quotes. 问题是警报无法处理“内部...你必须将这些引号改为单引号。
addHtml("<a onclick=\"alert(\\\'Hello from JS\\\')\">click me</a>")
That should work for you. 这对你有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.