如何在javascript中实现if?

发布于 2024-12-11 23:56:17 字数 894 浏览 3 评论 0原文

下面的 JavaScript 从 http://mysite.com?url=www.google.com 中提取 www.google.com 并将其写为 href 链接

<script> 
var urll = (window.location.search.match(/[?&;]url=([^&;]+)/) || [])[1]; 
document.write('<a href="http://'+urll+'">url</a>'); 
</script>

它的问题是,当它提取 url 时 href 值将变为 http://mysite.com/www.google.com,因此 if 应说明原始网址是否为http://mysite.com?url=www.google.com?url= 前面没有 http://将其添加到 href 值之后,形成 url

在 a 的评论中上一个问题有人给了我这个

if (link.substr(0, 7) !== 'http://') { link = 'http://' + link; }

,但我真的不知道如何实现它,因为我从未在 javascript 中使用过 if

The javascript below extracts www.google.com from http://mysite.com?url=www.google.com
and writes it as an <a> href link

<script> 
var urll = (window.location.search.match(/[?&;]url=([^&;]+)/) || [])[1]; 
document.write('<a href="http://'+urll+'">url</a>'); 
</script>

The problem with it is that when it extracts the url the <a> href value it becomes http://mysite.com/www.google.com so the if should state if the original url http://mysite.com?url=www.google.com doesn't have http:// infront of ?url= then add it after the href value to form <a href="http://www.google.com">url</a>

In a comment for a previous question someone gave me this

if (link.substr(0, 7) !== 'http://') { link = 'http://' + link; }

but I really don't have a clue on how to implement it because I have never used an if in javascript.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

雨夜星沙 2024-12-18 23:56:17

除了其他任何事情之外,您还让自己容易受到 XSS 攻击

暂时假设url 参数(外部网站可以通过提供指向您网站的链接轻松欺骗该参数)包含字符串大胆!

这个故事的寓意是:永远不要盲目相信用户输入,也不要简单地将其转换为 HTML。

为了避免此类攻击(SQL 注入是针对服务器端代码的非常类似的攻击,它构建SQL 语句)执行以下两件事:

  1. 验证输入以确保它完全符合您的预期,如果不符合则不接受。在您的情况下,这意味着您需要确保 url 参数实际上代表有效的 URL。
  2. 仅以“安全”方式使用用户数据,不会引入“重新解释”输入的可能性。在您的情况下,这意味着您不能使用这样的字符串连接来构建 HTML。相反,使用 document.createElement() 来创建您的a 元素,将其 href 属性设置为所需的值(如上所述进行清理),然后将新创建的 a 元素添加到 DOM 中适当的位置。

Apart from anything else you're making yourself suspectible to XSS attacks:

Assume for a moment that the url parameter (which an external site can easily spoof by providing a link to your site) contains the string "><b>BOLD!</b><div class=". Suddenly your page would display some bold text, even 'though you never used a <b> tag in your site. And that's the most harmless example possible, because the attacker can equally well introduce arbitrary JavaScript into your page (including JS that steals the users cookie!).

Moral of the story: never blindly trust user input, and don't simply convert it to HTML.

To avoid these kinds of attacks (SQL Injection is a very similar attack against server-side code that builds SQL statements) do these two things:

  1. validate the input to ensure that it's exactly what you expect and don't accept it if it doesn't. In your case that would mean that you'd want to make sure that the url parameter actually represents a valid URL.
  2. Use user data only in "safe" ways that don't introduce the possibility of "re-interpretation" of the input. In your case it means that you must not build your HTML using string concatenation like this. Intead use document.createElement() to create your a element, set its href attribute to the desired value (sanitized as stated above) and then add the newly created a element in your DOM at the appropriate position.
痴梦一场 2024-12-18 23:56:17

看起来您需要 https://developer.mozilla.org/en/JavaScript。 “if”是任何编程语言最基本的元素,如果你不理解,你真的需要运行一堆基础知识。

It looks like you need https://developer.mozilla.org/en/JavaScript. "if" is the most basic element of any programming language, if you don't understand that you'll really need to run through a bunch of basics.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文