在html标签属性值内部转义 [英] escaping inside html tag attribute value
问题描述
我无法理解在HTML标签属性值中是如何转义的。
我导致相信你应该总是逃避& '<>。因此,对于JavaScript作为属性值,我尝试过:
< a href =javascript:alert &; Hello&;);>< / a>
但是:
< a href =javascript:alert(&#39; Hello&#39;) ;>< / a>
和
< a href =javascript:alert('Hello');>< / a>
在所有浏览器中都能正常工作!
现在我完全搞不懂了。双引号,这是否意味着我不必逃避单引号?或者是和技术上不同的字符?这样的JavaScript需要ascii 39,但不是'?'/ b>
这里涉及到两种类型的转义,HTML和JavaScript。解释HTML文档时,首先解析HTML转义。
至于HTML被考虑,属性值中的规则与其他地方的规则相同,并附加一条规则: 如果您喜欢,您可以转义 在JavaScript方面,字符串文字中有一些转义机制(带有 I am having trouble understanding how escaping works inside html tag attribute values that are javascript. I was lead to believe that you should always escape & ' " < > . So for javascript as an attribute value I tried:
< 应该被转义。通常& lt; 用于此目的。从技术上讲,取决于HTML版本,转义并不总是必需的,但它一直是一个好习惯。
& 应该逃脱。通常& amp; 用于此目的。这也并非总是强制性的,但总是要做到比学习和记忆何时需要更简单。
作为分隔符,则习惯使用& quot; 来避免它的出现;而对于Ascii撇号,实体引用& 仅在某些HTML版本中定义,所以使用数字引用&
$ $ b > (或任何其他数据字符),但它永远不需要。
\ ),但这是一个不同的问题,与您的案例无关。在您的示例中,在符合当前规范的浏览器上,JavaScript解释器看到完全相同的代码 alert('Hello'); 。浏览器具有未转义& 或&#39; 到'。我有点惊讶于& ap os; 目前并不普遍支持,但这不是问题:很少需要在HTML中转义Ascii撇号(只有在属性值中需要转义时才需要转义,并且只有在使用Ascii撇号作为分隔符),当存在时,可以使用&#39; 引用。<a href="javascript:alert('Hello');"></a>
It doesn't work. However:
<a href="javascript:alert('Hello');"></a>
and
<a href="javascript:alert('Hello');"></a>
does work in all browsers!
Now I am totally confused. If all my attribute values are enclosed in double quotes, does this mean I do not have to escape single quotes? Or is apos and ascii 39 technically different characters? Such that javascript requires ascii 39, but not apos?
There are two types of "escapes" involved here, HTML and JavaScript. When interpreting an HTML document, the HTML escapes are parsed first.
As far as HTML is considered, the rules within an attribute value are the same as elsewhere plus one additional rule:
- The less-than character
<should be escaped. Usually<is used for this. Technically, depending on HTML version, escaping is not always required, but it has always been good practice. - The ampersand
&should be escaped. Usually&is used for this. This, too, is not always obligatory, but it is simpler to do it always than to learn and remember when it is required. - The character that is used as delimiters around the attribute value must be escaped inside it. If you use the Ascii quotation mark
"as delimiter, it is customary to escape its occurrences using"whereas for the Ascii apostrophe, the entity reference'is defined in some HTML versions only, so it it safest to use the numeric reference'(or').
You can escape > (or any other data character) if you like, but it is never needed.
On the JavaScript side, there are some escape mechanisms (with \) in string literals. But these are a different issue, and not relevant in your case.
In your example, on a browser that conforms to current specifications, the JavaScript interpreter sees exactly the same code alert('Hello');. The browser has "unescaped" ' or ' to '. I was somewhat surprised to here that ' is not universally supported these days, but it’s not an issue: there is seldom any need to escape the Ascii apostrophe in HTML (escaping is only needed within attribute values and only if you use the Ascii apostrophe as its delimiter), and when there is, you can use the ' reference.
这篇关于在html标签属性值内部转义的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
