转义Qualtrics管道文本以在javascript中使用(更一般而言，如何安全地转义用户生成的文本) [英] Escaping Qualtrics piped text for use in javascript (more generally, how to safely escape user-generated text)

问题描述

在我的Qualtrics调查中，我有一个自由答复(文本框)问题.我想将对这个问题的回答放到javascript中，这样我就可以进行一些复杂的文本处理并将结果发布到外部页面上.

In my Qualtrics survey I have a free-response (textbox) question. I'd like to get the response to this question into javascript so I can do some complicated text processing and post the result to an external page.

看来，Qualtrics的官方方法是使用管道文本代码:

It looks like the official Qualtrics way to do that is to use the piped text code:

var answer = "${q://QID1/ChoiceTextEntryValue}"

但这会生成javascript代码，并将文字响应插入到代码中.如果调查员在回答中加上引号，则会破坏代码.我还验证了它可用于注入任意JavaScript！

But this generates javascript code with the literal response inserted into the code. If a survey-taker puts a quote mark in their response, it will break the code. I've also verified that it can be used to inject arbitrary javascript!

有什么方法可以安全地将用户生成的值分配给变量?

Is there any way to assign a user-generated value to a variable safely?

我尝试过的事情:

• 如果有一个API调用将响应直接放入javascript变量中而不必使用管道文本，那就太好了.我检查了他们的 API文档并进行了交谈技术支持，而且似乎不存在这样的功能.
• 如果Qualtrics具有用于字符替换的内置功能(我可以使用该功能来去除引号)也将有所帮助，但我认为它没有.
• 我可以使用回复验证来防止受访者提交带有引号的回复.这是我想出的唯一可行的解​​决方案，但对用户而言却很烦人.

• It would be nice if there were an API call that put the response directly into a javascript variable without having to use piped text. I've examined their API documentation and talked to tech support, and it doesn't look like such a function exists.
• It would also be helpful if Qualtrics had a built-in feature for character substitution that I could use to strip quotes, but I don't think it does.
• I could use response validation to prevent respondents from submitting a response that has quote marks in it. This is the only workable solution I've come up with, but it would be annoying for users.

推荐答案

再迟一点-也许您已经前进或找到了解决方案?您是否可以确定正在谈论使用Javascript处理文本字符串(无论是从调查中的文本框中获取还是通过联系人列表上载导入)?如果是这样，我在这里遇到了一些很好的信息

Again a little late - perhaps you've moved on or found a solution? Can you confirm that you are talking about manipulating a text string (whether it be sourced from a text box in the survey or imported via a contact list upload) in Javascript? If so I've just come across some good info here How To Work with Strings in JavaScript where it talks about using the back tick instead of single or double quote to encase the piped text. This then allows the string to be used / recorded in its literal sense and taking into account apostrophes and double quotes in the string.

所以而不是: var answer ="$ {q://QID1/ChoiceTextEntryValue}"

您将双引号替换为反引号.恐怕我不能在这里发布它，因为此处的代码工具使用反引号！

you replace the double quotes with backticks. I'm afraid I can't post it here as the code tool here uses backticks!!

这篇关于转义Qualtrics管道文本以在javascript中使用(更一般而言，如何安全地转义用户生成的文本)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！