document.write - replace"< / script>"带有"< \ / script>"的标签 [英] document.write - replace "</script>" tags with "<\/script>"
问题描述
我已经测试过这段代码,手动将反斜杠添加到所有< / script> 标记中,如果所有标记都变为
< \ / script> 代码有效。
I've already tested this code manually adding the backslash to all the </script> tags, and
if all the tags become <\/script> the code works.
var iframe = document.createElement('iframe');
var html = '<html><head><script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"><\/script><script type="text/javascript">$(window).load(function(){function popo1(){alert("ciaoooo!");}popo1();$(".eccolo").html("<br><br><br><br>xD sygsyusgsuygsus ysg usygsuys");});<\/script></head><body><div class="eccolo"></div></body></html>';
document.body.appendChild(iframe);
iframe.contentWindow.document.open();
iframe.contentWindow.document.write(html);
iframe.contentWindow.document.close();
但我需要动态自动替换所有< / script> 带< \ / script> 的标签使用
XXX.replace(/<\/script>/ig, "<\\\/script>");
根据 这篇文章
according to this post
但似乎这种类型的替换实际上不起作用...
but seems that this type of replace is actually not working...
var iframe = document.createElement('iframe');
var XXX = '<html><head><script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"><\/script><script type="text/javascript">$(window).load(function(){function popo1(){alert("ciaoooo!");}popo1();$(".eccolo").html("<br><br><br><br>xD sygsyusgsuygsus ysg usygsuys");});<\/script></head><body><div class="eccolo"></div></body></html>';
var YYY = XXX.replace(/<\/script>/ig, "<\\\/script>");
document.body.appendChild(iframe);
iframe.contentWindow.document.open();
iframe.contentWindow.document.write(YYY);
iframe.contentWindow.document.close();
不幸的是我不能使用.js文件,所以我希望有一种方法可以正确地做标签替换
Unfortunately I can't use .js files, so I hope that there is a way to properly do the tags replace
推荐答案
但如果我想要怎么做使用
< \ / script>动态替换所有< / script>标记...
But what if I want to dynamically replace all the
</script>tags with<\/script>...
在下面的评论中,你说过:
In a comment below, you've said:
我从一个总是改变的输入中得到
var XXX我只是添加了一个定义的值(var XXX ='< html> ;< head> ...)在我的问题中只是例如
I'm getting the
var XXXfrom an input that always changes.. I just added a defined value (var XXX='<html><head>...) in my question just for example
这是一个非常不同的事情而不是你的问题。如果你说你将收到XXX字符串中的输入,其内容(在内存中,而不是字符串文字)如下所示:
That's a very different thing than what's in your question. If you're saying that you'll receive input in the XXX string whose content (in memory, not a string literal) looks like this:
<html>
<head>
<script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"></script>
<script type="text/javascript">
$(window).load(function() {
function popo1() {
alert("ciaoooo!");
}
popo1();
$(".eccolo").html("<br><br><br><br>xD sygsyusgsuygsus ysg usygsuys");
});
</script>
</head>
<body>
<div class="eccolo"></div>
</body>
</html>
...然后输入完全正常,可以按原样使用来设置内容 iframe 。您不必对其进行替换。你链接的帖子与你正在做的事情无关。
...then than input is perfectly fine and can be used as-is to set the content of the iframe. You don't have to do the replacement on it. The post you linked to doesn't relate to what you're doing.
但如果你说你会得到这样的输入:
But if you're saying you'll get input like this:
<html>
<head>
<script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"></script>
<script type="text/javascript">
$(window).load(function() {
var str = "The problem is here: </script>"; // <======
});
</script>
</head>
<body>
<div class="eccolo"></div>
</body>
</html>
...那么你和HTML解析器处于同样不幸的位置:你没有知道子字符串< / script> 何时实际结束脚本元素,或者是JavaScript字符串文字(或注释)中的文本。如果你有一个包含该内容的网页,HTML解析器会在之后立即结束脚本元素。问题在于:。事实上,如果您通过 document.write 将该内容输出到 iframe ,解析器将会阻塞它。该行:
...then you're in the same unfortunate position as the HTML parser: You don't know when the substring </script> actually ends a script element, or is text within a JavaScript string literal (or a comment). If you had a web page with that content, the HTML parser would conclude the script element ended immediately after The problem is here:. And indeed, if you output that content to an iframe via document.write, the parser will choke on it. The line:
var str = "The problem is here: </script>";
需要
var str = "The problem is here: <\/script>";
// or
var str = "The problem is here: </sc" + "ript>";
// or similar
...以避免绊倒HTML解析器。 (在 .js 文件中没问题,但这不是你的用例。)
...in order to avoid tripping up the HTML parser. (It would be fine in a .js file, but that's not your use case.)
从根本上说,如果你收到类似内容的输入,给你的人给你无效的输入。子字符串< / script> 无法出现在< script> 中的JavaScript代码中/ < / script> tags —不在字符串文字中,不在评论中,不在任何地方。
Fundamentally, if you're receiving input with something like that in it, the person giving it to you is giving you invalid input. The substring </script> cannot appear in JavaScript code within <script>/</script> tags — not in a string literal, not in a comment, nowhere.
规范定义的答案是:不要试图弄明白,要求它是正确的。 但是如果您知道脚本是JavaScript,并且您确实想要允许无效输入并更正它,那么您需要一个JavaScript解析器。这听起来很离谱,但 Esprima 就是这样,Meteor中有jsparser,可能还有其他人。您将扫描您给出的字符串< script> ,然后让JavaScript解析器接管并解析代码(您可能需要修改它)所以它知道在字符串文字/注释之外的< / script> 中停止。然后获取解析器使用的文本,使用替换转换代码文本中的任何< / script> 到< \ / script> ,然后继续。
The answer defined by the spec is: Don't try to figure it out, require that it be correct. But if you know the scripts are JavaScript, and you really really want to allow invalid input and correct it, you'll need a JavaScript parser. That sounds outrageous, but Esprima is exactly that, there's jsparser in the Meteor stuff, and there may be others. You'd scan the string you're given to find <script>, then let the JavaScript parser take over and parse the code (you'll probably need to modify it so it knows to stop in </script> outside of a string literal / comment). Then take the text consumed by the parser, use your replace to convert any </script> in the code's text to <\/script>, and continue on.
非平凡
It's non-trivial, which is why the spec doesn't require HTML parsers to do it.
但是,再次,如果输入就像你问题中的例子(没有反斜杠)你以前用字符串文字来避免这个问题),你根本不需要做替换。只需将其输出到iframe,它就可以正常工作。
But again, if the input is like your example in your question (without the backslashes you used to avoid this problem with your string literal), you don't have to do a replace at all. Just output it to the iframe, and it will work fine.
这篇关于document.write - replace"< / script>"带有"< \ / script>"的标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
