GWT:setInnerHTML unescapes属性值
[英]GWT: setInnerHTML unescapes attribute values
问题描述
This string: <a onclick="doit(''')">...</a> is received from the server-side and needs to be set as the inner HTML of an element. 
此字符串:从服务器端接收<a onclick="doit(''')">...</a> ,需要将其设置为元素的内部HTML。
When I use Element#setInnerHTML the string is converted to <a onclick="doit(''')">...</a> , ie unescapes the HTML entity to the character it represents. 当我使用Element#setInnerHTML ,字符串将转换为<a onclick="doit(''')">...</a> ,即将HTML实体转换为它所代表的字符。
How can I preform the inner HTML assignment with no entity conversions? 如何在没有实体转换的情况下预先形成内部HTML赋值?
Clarification: The inner HTML assignment only unescapes entities inside attribute values. 澄清:内部HTML分配仅对属性值内的实体进行unescape。
1 个解决方案
解决方案1
2 2012-07-18 19:54:40
The setInnerHTML() implementation itself poses no issue, since its only role is to assign a property value to the underlying JS object, as can be seen by examining Element 's source code: setInnerHTML()实现本身没有任何问题,因为它的唯一作用是将属性值赋给底层JS对象,可以通过检查Element的源代码看出:
public final native void setInnerHTML(String html) /*-{
this.innerHTML = html || '';
}-*/;
The problem lies within the browser, innocently following the Charset Entity References guides in the HTML Document Representation specifications and parsing your entities, which are allowed (thus get parsed) inside attribute nodes. 问题出在浏览器中,无意中遵循HTML文档表示规范中的Charset Entity References指南并解析您的实体,这些实体在属性节点内被允许 (因此被解析)。
From the specification: 从规格:
Authors should also use "
&" in attribute values since character references are allowed within CDATA attribute values.&”,因为CDATA属性值中允许使用字符引用。
Solution 解
On the server side (or via a filter or a designated client proxy), escape all special characters inside attribute values with the corresponding HTML entities, eg: 在服务器端(或通过过滤器或指定的客户端代理),使用相应的HTML实体转义属性值内的所有特殊字符,例如:
<a onclick=\"doit('&#39;')\">...</a>
References on W3C 参考W3C
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.