使用html实体对文本框执行jQuery val() [英] Performing jQuery val() against a textbox with html entities
问题描述
我使用简单的js小提琴来设置我的问题 http://jsfiddle.net/um788f6q/
< input type =textid =yo>
$(#yo)。val('hell&#39; o')
<基本上我想知道是否有方法显示撇号而不是编码字符串。我已经在服务器上编码这样的值来防止xss攻击,所以解码并不是真正的有效选项。
谢谢
基本上我想知道是否有显示撇号而不是编码字符串的方法。
没有任何理智。
文本中的值属性交易,而不是HTML。
作为一种可怕的黑客,您可以通过解析HTML并随后读取生成的文本节点来将其转换为文本。
< $($#$)$(#yo).val($(< div />)。html('hell&#39; o').text());
...但不要。而不是解决真正的问题。
我已经在服务器上对这些值进行了编码以防止xss攻击
不要这样做。
您将数据插入JavaScript,而不是HTML。 b
$ b
HTML不处理HTML时。它可能会让你容易受到攻击。
编码插入JavaScript的数据的适当方式是使用JSON编码器。 (然后,如果将JSON放入HTML属性值,则使用实体对生成的JSON进行编码,或者如果将它放入 /
字符>< script> 元素)。
I have set up my issue using a simple js fiddle http://jsfiddle.net/um788f6q/
<input type="text" id="yo">
$("#yo").val('hell'o')
Basically I would like to know if there is a way to display an apostrophe rather than the encoded string. I have encoded the values like this on the server to prevent xss attacks, so decoding is not realy a valid option.
Thanks
Basically I would like to know if there is a way to display an apostrophe rather than the encoded string.
Nothing sane.
The value property deals in text, not HTML.
As a horrible hack you could convert it to text by parsing the HTML and then reading the resulting text node.
$("#yo").val($("<div />").html('hell'o').text());
… but don't. Solve the real problem instead.
I have encoded the values like this on the server to prevent xss attacks
Don't do that.
You're inserting the data into JavaScript, not into HTML.
Don't use a defence for HTML when you aren't dealing in HTML. It could leave you vulnerable.
The appropriate way to encode data for inserting into JavaScript is to use a JSON encoder. (Then encode the resulting JSON with entities if you are putting the JSON in an HTML attribute value, or escape any /
characters if you are putting it in a <script>
element).
这篇关于使用html实体对文本框执行jQuery val()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!