在JavaScript中转义引号 [英] Escape quotes in JavaScript

问题描述

我正在从数据库输出值（它不是公开的公开的，但它是公开的，由用户进入公司 - 意思是，我不担心 XSS 。）

我试图输出一个标签如下：

 < a href =onclick =DoEdit（'DESCRIPTION'）;>单击我; / A> 
  

描述实际上是一个数据库中的值，如下所示：

 预先评估迷你报告
  

我已经尝试用\替换了，但无论我尝试什么，Firefox都会在<评估一词之后的空格中截断我的JavaScript调用，并导致各种问题

我必须明白答案，但对于我的生活我无法理解。

<任何人都要指出我的愚蠢？

这是整个HTML页面（这将是一个 ASP.NET 页面，但是为了解决这个问题，我拿出了一切，但问题代码）

 < HTML> 
< body> 
< a href =＃onclick =DoEdit（'Preliminary Assessment \Mini\'）; return false;> edit< / a> 
< / body> 
< / html> 
  

解决方案

你需要将你正在写的字符串 DoEdit 来清理双引号字符。它们导致 onclick HTML属性过早关闭。

使用JavaScript转义字符 \ ，在HTML上下文中是不够的。您需要使用适当的XML实体表示替换双引号，& quot; 。

I'm outputting values from a database (it isn't really open to public entry, but it is open to entry by a user at the company -- meaning, I'm not worried about XSS.)

I'm trying to output a tag like this:

<a href="" onclick="DoEdit('DESCRIPTION');">Click Me</a>

DESCRIPTION is actually a value from the database that is something like this:

Prelim Assess "Mini" Report

I've tried replacing " with \", but no matter what I try, Firefox keeps chopping off my JavaScript call after the space after the word Assess, and it is causing all sorts of issues.

I must bemissing the obvious answer, but for the life of me I can't figure it out.

Anyone care to point out my idiocy?

Here is the entire HTML page (it will be an ASP.NET page eventually, but in order to solve this I took out everything else but the problem code)

<html>
    <body>
        <a href="#" onclick="DoEdit('Preliminary Assessment \"Mini\"'); return false;">edit</a>
    </body>
</html>

解决方案

You need to escape the string you are writing out into DoEdit to scrub out the double-quote characters. They are causing the onclick HTML attribute to close prematurely.

Using the JavaScript escape character, \, isn't sufficient in the HTML context. You need to replace the double-quote with the proper XML entity representation, ".

这篇关于在JavaScript中转义引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！