javascript中如何处理不同种类的编码
我认识到,根据我想要使用某些参数的上下文,至少有 4 种编码是必要的,以避免执行损坏的代码:
构建 javascript 代码时的 Javascript 编码,例如
var a = "怎么了?" var b = "警报('" + a + "');" 评估(b); // 或执行 b 作为代码的任何其他内容使用字符串作为 url 参数时的 URL 编码,例如
var a = "邦妮和克莱德"; var b = "mypage.html?par=" + a; window.location.href = b; // 或任何其他尝试使用 b 作为 URL 的内容使用字符串作为某些元素的 HTML 源时的 HTML 编码,例如
var a = ""; b.innerHTML = a; // 或任何其他直接解释 a 的东西使用字符串作为属性值时的 HTML 属性编码,例如
var a = 'alert("hello")'; var b = ''; // 或任何其他使用 a 作为标签属性(一部分)的内容
在 ASP.NET 代码隐藏中时,我知道在所有 4 种情况下对字符串进行编码的方法(例如使用 DataContractJsonSerializer、HttpUtility.UrlEncode、HttpUtility.HtmlEncode 和 HttpUtility.HtmlAttributeEncode),了解是否存在会非常有趣在这 4 种情况下,我可以直接从 javascript 使用一些实用程序来编码/解码字符串。
I recognized that based on a context in which I want to use some parameters, there are at least 4 kinds of encoding that are necessary to avoid corrupted code being executed :
Javascript encoding when constructing a javascript code, e.g.
var a = "what's up ?" var b = "alert('" + a + "');" eval(b); // or anything else that executes b as codeURL encoding when using a string as a parameter into the url, e.g.
var a = "Bonnie & Clyde"; var b = "mypage.html?par=" + a; window.location.href = b; // or anything else that tries to use b as URLHTML encoding when using a string as an HTML source of some element, e.g.
var a = "<script>alert('hi');</script>"; b.innerHTML = a; // or anything else that interprets a directlyHTML attribute encoding when using a string as a value of an attribute, e.g.
var a = 'alert("hello")'; var b = '<img onclick="' + a + '" />'; // or anything else that uses a as a (part of) a tag's attribute
While in the ASP.NET codebehind I'm aware of ways to encode the string in all 4 cases (using e.g. DataContractJsonSerializer, HttpUtility.UrlEncode, HttpUtility.HtmlEncode and HttpUtility.HtmlAttributeEncode), it would be quite interesting to know whether there are some utilities that I could use directly from javascript to encode / decode strings in these 4 cases.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
情况 2 可以使用encodeURIComponent() 处理,如 danp 建议。
情况 3 在大多数浏览器中不会执行脚本< /a>.如果您希望文档的输出为
,则应该编辑元素的文本内容:情况 1 和 4 并不是真正的情况编码问题,它们是卫生问题。对传递给这些函数的字符串进行编码可能会导致语法错误,或者只是导致字符串值未分配给任何内容。清理通常涉及寻找某些模式,然后允许或禁止该操作 - 白名单比黑名单更安全(这听起来很糟糕!)。
Internet Explorer 8 有一个有趣的功能,称为窗口。 toStaticHTML() 将从 HTML 字符串中删除任何脚本内容。对于在插入 DOM 之前清理 HTML 非常有用。不幸的是,它是专有的,因此您在其他浏览器中找不到此功能。
Case 2 can be dealt with using encodeURIComponent(), as danp suggested.
Case 3 won't execute the script in most browsers. If you want the output to the document to be
<script>...</script>, you should edit the text content of the element instead:Cases 1, and 4 aren't really encoding issues, they're sanitation issues. Encoding the strings passed to these functions would probably cause a syntax error or just result in a string value that isn't assigned to anything. Sanitizing usually involves looking for certain patterns and either allowing the action or disallowing it - it's safer to have a whitelist than a blacklist (that sounds terrible!).
Internet Explorer 8 has an interesting function called window.toStaticHTML() that will remove any script content from a HTML string. Very useful for sanitizing HTML before inserting into the DOM. Unfortunately, it's proprietary so you won't find this function in other browsers.
您可以使用 javascript 函数
escape(..)来实现其中一些目的。e:居然忘记了!抱歉,这是一个已弃用的函数 -
encodeURI()、decodeURI()等是前进的方向!详细信息此处。You can use the javascript function
escape(..)for some of these purposes.e: actually forget! sorry, it's a deprecated function -
encodeURI(),decodeURI()etc are the way forward! Details here.