jQuery DOM 元素创建与innerHTML
在回答我的一个问题时,cletus提到 在 jQuery 中创建元素时,最好使用直接创建 DOM 元素
,而不是innerHTML
。我尝试用谷歌搜索,但找不到一篇有比较的好文章。
我在下面提供了这段代码作为示例,我想知道是否有人可以帮助我以直接 DOM 元素创建形式重写它,希望我以后也能了解其中的区别。
var img = $(this);
img.append('<p class="cap"><a href="'+img.parent().attr('href')+'">'+
img.attr('title')+'</p></a>');
非常感谢。
While having one of my questions answered, cletus mentioned that when creating elements in jQuery it's better to use direct DOM element creation
, instead of innerHTML
. I tried googling it but I wasn't able to find a good article with comparisons.
I've provided this code bellow as an example and I was wondering if someone could help me rewrite it in direct DOM element creation form in hope that i would also learn the difference afterwards.
var img = $(this);
img.append('<p class="cap"><a href="'+img.parent().attr('href')+'">'+
img.attr('title')+'</p></a>');
Thanks so much.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
是的,避免使用 HTML 字符串。您给自己带来了错误和潜在的跨站点脚本安全漏洞。例如:
如果父级
href
中的 URL 包含此 HTML 上下文中的特殊字符(例如<
、"
或&? 最好的情况是您会得到无效的标记,这可能会导致浏览器出错;最坏的情况是,如果 URL 来自用户提交,则会出现安全问题
(好的,
<
) 。和"
不太可能出现在 URL 中,但&
确实很有可能出现。您在文本内容中放入的title
可能会出现在 URL 中。变得更加脆弱。)这是一个大且日益严重的问题。正如我们开始解决来自服务器端模板的 HTML 注入错误(例如 PHP 用户忘记
htmlspecialchars()
),我们现在引入了加载使用innerHTML
和 jQuery 的html()
进行简单的 HTML 黑客攻击,从而产生新的客户端 XSS。避免。您可以手动转义插入到 HTML 中的文本:
但实际上,您最好使用直接 DOM 样式的属性和方法,因为它们不涉及 HTML 解析,所以不需要任何逃脱。它们被称为 DOM 风格,因为这是原始 DOM Level 1 HTML 功能的工作方式(早在
innerHTML
露出丑陋的头之前就已经存在了):在 jQuery 中,您使用
attr() 和
text()
来执行相同的操作:在 jQuery 1.4 中,您可以使用元素创建快捷方式最方便地完成此操作:
但这看起来仍然有点可疑,您的父级是什么从哪里获取
href
?在链接内放置或其他链接是无效的。
Yeah, avoid HTML string-slinging. You're giving yourself bugs and potentially cross-site scripting security holes. For example:
what if the URL in the parent's
href
contains characters that are special in this HTML context, like<
,"
or&
? At best you'll get invalid markup that might trip the browser up; at worst, if the URL comes from user submission, a security problem.(OK,
<
and"
are unlikely to appear in a URL, but&
is very likely indeed. Thetitle
you're putting in the text content may be more vulnerable.)This is a large and increasing problem. Just as we're starting to get a handle on fixing the HTML-injection bugs coming from templating on the server-side (eg. PHP users forgetting to
htmlspecialchars()
), we're now introducing loads of new client-side XSS from naïve HTML-hacking withinnerHTML
and jQuery'shtml()
. Avoid.You can escape text you're inserting into HTML manually:
but really, you're better off using the direct DOM-style properties and methods, which, since they involve no HTML parsing, don't require any escaping. They're called DOM-style because that's the way the original DOM Level 1 HTML features work (which existed back before
innerHTML
reared its ugly head):In jQuery you use
attr()
andtext()
to do the same:And in jQuery 1.4, you can do it most conveniently using an element creation shortcut:
This still looks a bit questionable though, what's the parent that you're getting the
href
from? It's invalid to put a<p>
, or another link, inside a link.这就是在 jQuery 中创建元素的方式:
然后您可以使用
myDiv
做各种很酷的事情。这是使用您的示例:
这有点冗长,但是是的。
This is how you create elements in jQuery:
And then you can do all kinds of cool stuff with
myDiv
.Here it is using your example:
It's a bit verbose, but yeah.