JavaScript 中的嵌套引号
这里有一个菜鸟问题...
我在表行列表上有一个 javascript 函数
<tr onclick="ClosePopup('{ScenarioID}', '{Name}');" />
但是,{Name} 值有时可以包含字符 "'" (单引号)。目前,错误 预期:')' 出现,因为它有效地提前结束了 javascript 函数并破坏了语法。
禁止 {Name} 值中的单引号影响 JavaScript 的最佳方法是什么?
干杯!
A bit of a noob question here...
I have a javascript function on a list of table rows
<tr onclick="ClosePopup('{ScenarioID}', '{Name}');" />
However, the {Name} value can sometimes contain the character "'" (single quote). At the moment the error Expected: ')' comes up as a result because it is effectivly ending the javascript function early and destroying the syntax.
What is the best way to prohibit the single quotes in {Name} value from effecting the javascript?
Cheers!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您正在犯下不安全的 Web 模板编程的第一个致命罪 - 没有转义正在呈现到模板中的值的内容。我几乎可以向您保证,如果您采用这种方法,您的 Web 应用程序将容易受到 XSS(跨站点脚本)攻击,并且任何第三方都将能够在您的页面中运行自定义 JavaScript,窃取用户数据并随心所欲地造成严重破坏。
一探究竟。 http://en.wikipedia.org/wiki/Cross-site_scripting
解决方案是来逃避内容。要在 javascript(也在 html 中)中正确执行此操作,不仅仅是将转义序列放在反斜杠前面。
任何像样的模板引擎都应该为您提供一种在写入模板时转义内容的方法。您的数据库值可以保留原样,重要的部分是在输出时对其进行转义。如果您的模板引擎或动态 Web 应用程序框架不允许这样做,请更改为允许的框架。 :)
You're committing the first mortal sin of insecure web template programming - not escaping the content of the values being rendered into the template. I can almost guarantee you that if you take that approach, your web app will be vulnerable to XSS (cross site scripting) and any third party will be able to run custom javascript in your page, stealing user data and wreaking havoc as they wish.
Check it out. http://en.wikipedia.org/wiki/Cross-site_scripting
The solution is to escape the content. And to do that properly in the javascript, which is also inside html, is a lot more than just putting escape sequences in front of backslashes.
Any decent templating engine out there should provide you a way to escape content as it's written to the template. Your database values can be left as-is, the important part is escaping it at output time. If your template engine or dynamic web app framework doesn't allow for this, change to one that does. :)
为了支持之前的评论,请阅读以下内容,以更好地理解为什么安全建议如此重要。
http://eval.symantec.com/ mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf
In support of the prior comment please read the following to gain a better understanding of why the security advice is so important.
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf
我认为你可以杀死任何代码注入,例如,替换
为
I would think that you could kill just about any code injection by, for example, replacing
with
尽管每个人提供的安全信息都非常有价值,但在这种情况下它与我无关,因为本例中的所有内容都是客户端,在获取数据和呈现 XML 时应用了安全措施。该页面还通过 Windows 身份验证(仅限管理部分)进行保护,并且 Web 应用程序框架无法更改。我一直在寻找的答案最终非常简单。
Although the security information provided by everyone is very valuable, it was not so relevant to me in this situation as everything in this instance is clientside, security measures are applied when getting the data and rendering the XML. The page is also protected through windows authentication (adminsitration section only) and the web app framework cannot be changed. The answer i was looking for was really quite simple in the end.