如何在 JavaScript 中安全地将任何内容转换为字符串
如果我有:
var test = {toString: function(){alert("evil code"); return "test";}};
如何将 test
转换为字符串?不调用 test.toString() 也不使用 typeof x == "string" 检查,因为我想允许非字符串。
注意:这适用于处理内容页 js 范围中的对象的 FF 扩展。
If I have:
var test = {toString: function(){alert("evil code"); return "test";}};
how can I convert test
to a string? without calling test.toString()
and without using a typeof x == "string"
check since I want to allow non strings.
Note: this is for a FF extension dealing with objects from a content page's js scope.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
遗憾的是,@Matthew Flaschen(目前已接受)的答案不适用于 ES6 / ES2015 中的
Symbol
类:https://jsfiddle.net/L8adq9y4/
(我不知道为什么,因为
Symbol
有一个非常好的toString()
方法:)https://jsfiddle.net/v1rqfhru/
不过有一个解决方案:
String()
函数似乎能够将任何值(至少是我尝试过的值)转换为String
。如果存在,它甚至会调用toString()
:https://jsfiddle.net/6uc83tsc/
因此,将您喜欢的任何内容传递到
String()
中,您将得到一个非常好的结果。Sadly, @Matthew Flaschen's (currently accepted) answer does not work with the
Symbol
class from ES6 / ES2015:https://jsfiddle.net/L8adq9y4/
(I have no idea why, as
Symbol
has a perfectly goodtoString()
method:)https://jsfiddle.net/v1rqfhru/
There's a solution though: the
String()
function seems to be able to convert any value (at least out of the ones I tried) into aString
. It will even calltoString()
if it exists:https://jsfiddle.net/6uc83tsc/
So, pass anything you like into
String()
and you'll get a pretty good result.JavaScript 允许您修改脚本可访问的几乎任何对象的属性,包括 Object.prototype 本身,这意味着任何对象都容易受到“邪恶代码”的攻击你解释的方式。
只有原语才能保证安全,因此确保“邪恶代码”永远不会执行的唯一方法是执行以下操作:
JavaScript allows you to modify the properties of pretty much any object that is accessible to your script, including
Object.prototype
itself, meaning any object is vulnerable to "evil code" in the manner that you explained.Only primitives are guaranteed to be safe, so the only way to ensure that "evil code" is never executed is to do something like this:
一种选择是:
这给出:
在测试的情况下。基本上,它只是提供类型信息。但是,我想知道这里的确切场景是什么。邪恶对象是如何加载到页面中的?如果他们可以在页面上执行任意代码,那么您基本上就不走运了。除此之外,还可以重新定义
Object.prototype.toString
。One option is:
This gives:
in the case of test. Basically, it just gives type information. However, I wonder what the exact scenario is here. How is the evil object getting loaded into the page? If they can execute arbitrary code on the page, you're basically out of luck. Among other things, it is then possible to redefine
Object.prototype.toString
.您的
(toString: function(){alert("evil code"); return "test";})
甚至没有在这里进行解析,它会引发语法错误。我认为您想使用{}
而不是()
。通常,您可以使用空字符串和加号运算符来执行强制转换:
但在这里,没有真正的方法可以安全地转换对象。
您可以使用
delete test.toString
来摆脱覆盖的方法,之后它将回退到正常的toString
方法,该方法返回'[object Object] '
。您还可以通过test.toString.toString()
将toString
方法本身转换为字符串。这取决于你到底想在这里做什么。
Your
(toString: function(){alert("evil code"); return "test";})
doesn't even get parsed here, it throws a syntax error. I think you wanted to use{}
instead of()
.Normally you could use an empty string and the plus operator to perform a cast:
But here, there's no real way to convert the object safely.
You can use
delete test.toString
to get rid of the overridden method, after that it will fall back to the normaltoString
method which returns'[object Object]'
. You can also convert thetoString
method itself into a string viatest.toString.toString()
.It's up to you what you exactly want to do here.
您只能检查
undefined
情况并将其转换为使用String
构造函数像这样。
let a = [1,2,3]
String(a)
例外情况:
String(undefined) --> “未定义”
希望有帮助
You can check only
undefined
cases and convert it to usingString
constructorlike this.
let a = [1,2,3]
String(a)
Exceptional case :
String(undefined) --> "undefined"
Hope it helps
您可以使用 lodash toString 方法。
文档链接
You can use lodash toString method.
Link to documentation
在 JavaScript 中,函数
String
是双面的。因此,只需使用
String(anything)
withoutnew
即可。In JavaScript the function
String
is Janus-faced.So just use
String(anything)
withoutnew
.