ASP.NET 自动转义字符？

发布于 2024-11-30 01:44:02 字数 821 浏览 0 评论 0原文

我正在使用 .ASPX.CS 页面中包含的以下代码...

img = "<img src=\"" + yellow + "\" align=\"middle\" onclick=\"alert('You are the current high bidder but the auction's minimum bid reserve has not been met. You need to increase your max bid until the reserve has been met to have a chance in winning this domain auction.');return false;\" class=\"sBtnImg\" alt=\"\" />";

它使用以下内容写入 asp:repeater 中的 .ASPX 页面...

<%# getAuctionFlag(Eval("AuctionAmt").ToString(), Eval("WinningBid").ToString(), Eval("UserMaxBid").ToString(), Eval("AuctionTypeDesc").ToString(), "", Eval("BidStatus").ToString())%>

我遇到的问题是警报包含拍卖中的一个报价以及我所有逃避它的尝试都失败了。我尝试了 \' 和 ' 但 .NET 在将其呈现为 HTML 之前对其进行了转义。所以我最终...

onclick="alert('TEXTHERE' TEXTHERE');return false;"

原文

I'm working with the following code that is contained in a .ASPX.CS page...

img = "<img src=\"" + yellow + "\" align=\"middle\" onclick=\"alert('You are the current high bidder but the auction's minimum bid reserve has not been met. You need to increase your max bid until the reserve has been met to have a chance in winning this domain auction.');return false;\" class=\"sBtnImg\" alt=\"\" />";

It gets written to a .ASPX page within a asp:repeater using the following...

<%# getAuctionFlag(Eval("AuctionAmt").ToString(), Eval("WinningBid").ToString(), Eval("UserMaxBid").ToString(), Eval("AuctionTypeDesc").ToString(), "", Eval("BidStatus").ToString())%>

The problem I am having is that the alert contains a single quote within auction's and all my attempts to escape it have failed. I tried \' and ' but .NET escapes it before it gets rendered as HTML. So I end up with...

onclick="alert('TEXTHERE' TEXTHERE');return false;"

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

断桥再见 2024-12-07 01:44:02

单个反斜杠引号会在 C# 字符串文字语法级别进行解释（返回到单引号）。您需要获得一个 \' 序列直至 HTML 级别，这意味着作为字符串文字，您必须使用 \\'。

更好的长期答案是停止嵌套字符串上下文。当您在 C# 字符串文字内的 HTML 标记中包含 JavaScript 代码时，您必须立即考虑多个级别的转义，而人类并不擅长这样做。一次将转义分解为一个级别，在可用的情况下使用替代引号，并将数据放入属性而不是代码中：

string warning= (
    "You are the current high bidder but the auction's minimum bid reserve "+
    "has not been met. You need to increase your max bid until the reserve "+
    "the reserve has been met to have a chance in winning this domain auction."
);

string html= String.Format(
    "<img src='{0}' class='sBtnImg' title='{1}' onclick='alert(this.title);'/>",
    HttpUtility.HtmlEncode(yellow),
    HttpUtility.HtmlEncode(warning)
);

更好的是，省略 onclick 并使用不显眼的 JavaScript 来捕获点击并添加行为依赖于类。那么警告文本可以是 .js 文件中的静态字符串。

A single backslash-quote gets interpreted (back to single-quote) at the C# string literal syntax level. You need to get a \' sequence through to the HTML level, which means as a string literal you would have to use \\'.

The better long-term answer is to stop nesting your string contexts. When you've got JavaScript code inside HTML markup inside a C# string literal, that's multiple levels of escaping you have to think about at once, and humans aren't good at doing that. Break the escaping down a level at a time, use alternative quotes where available, and put data in attributes instead of code where you can:

string warning= (
    "You are the current high bidder but the auction's minimum bid reserve "+
    "has not been met. You need to increase your max bid until the reserve "+
    "the reserve has been met to have a chance in winning this domain auction."
);

string html= String.Format(
    "<img src='{0}' class='sBtnImg' title='{1}' onclick='alert(this.title);'/>",
    HttpUtility.HtmlEncode(yellow),
    HttpUtility.HtmlEncode(warning)
);

Better still, omit onclick and use unobtrusive JavaScript to catch clicks and add behaviour dependent on the class. Then the warning text can be a static string in a .js file.

回复收藏 0 原文