关于在Java应用程序中执行javascript后处理的问题
传统上,我们总是在响应中使用 xml,该响应由 Javascript 方法解析以执行后期处理。我想出了一个新的、更简单的实现,它使用 requestAttribute 设置的隐藏输入并在 ajax 回调中执行。
JSP:
<%
String jsPostProcess = (String)request.getAttribute("jsPostProcess");
if (jsPostProcess!=null && jsPostProcess.trim().length()>0){
%>
<input type="hidden" id="jsPostProcess" name="jsPostProcess"
value="<%= jsPostProcess %> "/>
<% } %>
AJAX回调:
var callback = {
success: function(response) {
var div = $(divId);
if (div){
div.innerHTML = response.responseText;
}
var jsPostProcess = $('jsPostProcess');
if (jsPostProcess)
eval(jsPostProcess.value);
},
failure: function(response) {
alert('Something went wrong!');
}
}
SERVLET代码:
request.setAttribute("jsPostProcess", jsPostProcess);
它工作得很好,而且无论功能多么简单或复杂,将js后处理添加到几乎任何调用都非常简单。无需自定义js方法进行解析。
好奇是否有人可以识别它的任何潜在问题(例如安全问题?)或对其他替代方案提出任何建议。我们目前在前端使用 Prototype 和 YUI 2。
Traditionally we have always used xml in the response which is parsed by a Javascript method to execute post processes. I came up with a new, simpler implementation which uses a hidden input set by a requestAttribute and executed in an ajax callback.
JSP:
<%
String jsPostProcess = (String)request.getAttribute("jsPostProcess");
if (jsPostProcess!=null && jsPostProcess.trim().length()>0){
%>
<input type="hidden" id="jsPostProcess" name="jsPostProcess"
value="<%= jsPostProcess %> "/>
<% } %>
AJAX CALLBACK:
var callback = {
success: function(response) {
var div = $(divId);
if (div){
div.innerHTML = response.responseText;
}
var jsPostProcess = $('jsPostProcess');
if (jsPostProcess)
eval(jsPostProcess.value);
},
failure: function(response) {
alert('Something went wrong!');
}
}
SERVLET CODE:
request.setAttribute("jsPostProcess", jsPostProcess);
It works beautifully, and it is so much simpler for adding js post processes to virtually any call no matter how simple or complex the functionality is. No need for customized js methods for parsing.
Curious if anyone could identify any potential problems with it (such as security issues?) or make any suggestions for other alternatives. We currently use Prototype and YUI 2 on the front-end.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,不需要那些令人不快的 scriptlet 代码:
下一步是我希望在此之前的某个地方“jsPostProcess”值已被删除,以便它不会破坏标记(例如,如果它包含引号)。
仅仅对这样的值调用
eval()似乎有点危险,尽管您可能很清楚它会是什么。最后,我建议作为替代方案,如果“后处理”代码不太大,您可以将其在响应标头中发送回。这样您就不必在页面中添加任何无意义的标记。
哦,最后:您可能希望禁用
。或者,您甚至不必使用输入:您可以使用以下技巧:因为“type”属性是“text/plain”,所以浏览器不会尝试执行该代码,并且您可以获得“任何时候您需要的
First, there's no need for that unpleasant scriptlet code:
Next thing is that I hope that somewhere before this point the "jsPostProcess" value has been scrubbed so that it doesn't break the markup (like, in case it includes quotes).
Just calling
eval()on the value like that seems a little dangerous, though perhaps you know pretty well what it's going to be.Finally I would offer the suggestion that as an alternative to that, if the "post process" code isn't too big you could send it back in a response header. Then you wouldn't have to drop any meaningless markup into your page.
Oh, also finally: you might want to make the
<input>be disabled. Or, alternatively, you don't even have to use an input: you can use this trick:Because the "type" attribute is "text/plain" the browsers won't try to execute that code, and you can get the "text" of the
<script>element whenever you want.