如何使用</script>安全地嵌入JSON在HTML文档中? [英] How to safely embed JSON with </script> in HTML document?
问题描述
在Rails 3.1应用程序中,如何安全地将一些JSON数据嵌入HTML文档中?
In a Rails 3.1 app, how can I safely embed some JSON data into an HTML document?
假设我在控制器操作中具有此功能:
Suppose I have this in a controller action:
@tags = [
{name:"tag1", color:"green"},
{name:"</script><b>I can do something bad here</b>", color:"red"}
]
这在相应的视图中:
<script type="text/javascript" charset="utf-8">
//<![CDATA[
var tags_list = <%= @tags.to_json %>;
// ]]>
</script>
然后我得到了结果HTML:
Then I get this in resulting HTML:
var tags_list = [
{"name":"tag1","color":"green"},
{"name":"</script><b>I can do something bad here</b>","color":"red"}
];
会在Chrome中触发SyntaxError: Unexpected token &
which triggers a SyntaxError: Unexpected token & in Chrome
如果我使用<%=raw tags.to_json
%>删除了Rails的默认HTML转义,那么它将返回以下内容:
If I remove the Rails' default HTML escaping with <%=raw tags.to_json
%>, then it returns this:
var tags_list = [
{"name":"tag1","color":"green"},
{"name":"</script><b>I can do something bad here</b>","color":"red"}
];
,当然会用</script>中断HTML文档.
which, of course, breaks the HTML document with </script>.
我可以以某种方式告诉to_json()方法返回类似以下的内容:
Can I somehow tell to_json() method to return something more like this:
var tags_list = [
{"name":"tag1","color":"green"},
{"name":"</script><b>I can do something bad here</b>","color":"red"}
];
我在rubyonrails-talk邮件列表上问了这个问题,现在我知道有些人认为这是一个非常糟糕的主意,但在我的情况下,只要其中没有HTML特殊字符,它就可以很好地工作数据.因此,我只想确保to_json HTML返回的字符串安全,并且仍然让JavaScript正确地对其进行解析.
I asked this question on rubyonrails-talk mailing list, and I understand now that some people think that's a very bad idea to begin with, but in my case it works very nicely, as long as there are no HTML special chars in the data. So I just want to make the string returned by to_json HTML safe and still have JavaScript parse it properly.
更新: 基于@coreyward注释,我确实将其设置为JS字符串文字,并且现在看来效果很好.它的解决方案并不像我期望的那么优雅,但是也不是太糟糕.这是对我有用的代码:
UPDATE: Based on @coreyward comment, I did make it a JS string literal, and that seems to be working great now. Its not quite as elegant of a solution as I was hoping for, but its not too bad either. Here is the code that is working for me:
<% tags = [{name:"tag1", color:"green"}, {name:"</script><b>I can \n\ndo something bad here</b>", color:"red"}] %>
<script type="text/javascript" charset="utf-8">
//<![CDATA[
var tags_list = $.parseJSON('<%=j tags.to_json.html_safe %>');
// ]]>
</script>
其结果是:
<script type="text/javascript" charset="utf-8">
//<![CDATA[
var tags_list = $.parseJSON('[{\"name\":\"tag1\",\"color\":\"green\"},{\"name\":\"<\/script><b>I can \\n\\ndo something bad here<\/b>\",\"color\":\"red\"}]');
// ]]>
</script>
推荐答案
仅使用@tags.to_json的代码就可以在rails3中运行,如果您可以通过以下方式启用它:
Your code using just @tags.to_json works in rails3, if you enable it with:
ActiveSupport.escape_html_entities_in_json = true
否则,您的其他选择是这样:
Otherwise, your other option is this:
var tags_list = <%= raw @tags.to_json.gsub("</", "<\\/") %>;
这样可以节省客户端不得不通过$
This saves the client having to parse the whole thing through $
这篇关于如何使用</script>安全地嵌入JSON在HTML文档中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
