document.write - 替换"</script>"带有“<\/script>&"的标签 [英] document.write - replace "</script>" tags with "<\/script>"
问题描述
我已经测试了这段代码,手动将反斜杠添加到所有 </script> 标签,并且
如果所有标签都变成 <\/script> 代码有效.
I've already tested this code manually adding the backslash to all the </script> tags, and
if all the tags become <\/script> the code works.
var iframe = document.createElement('iframe');
var html = '<html><head><script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"><\/script><script type="text/javascript">$(window).load(function(){function popo1(){alert("ciaoooo!");}popo1();$(".eccolo").html("<br><br><br><br>xD sygsyusgsuygsus ysg usygsuys");});<\/script></head><body><div class="eccolo"></div></body></html>';
document.body.appendChild(iframe);
iframe.contentWindow.document.open();
iframe.contentWindow.document.write(html);
iframe.contentWindow.document.close();
但是我需要使用诸如
But I need to dynamically auto-replace all the </script> tags with <\/script> using something like
XXX.replace(/<\/script>/ig, "<\\\/script>");
根据这篇文章
但似乎这种类型的替换实际上不起作用......
but seems that this type of replace is actually not working...
var iframe = document.createElement('iframe');
var XXX = '<html><head><script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"><\/script><script type="text/javascript">$(window).load(function(){function popo1(){alert("ciaoooo!");}popo1();$(".eccolo").html("<br><br><br><br>xD sygsyusgsuygsus ysg usygsuys");});<\/script></head><body><div class="eccolo"></div></body></html>';
var YYY = XXX.replace(/<\/script>/ig, "<\\\/script>");
document.body.appendChild(iframe);
iframe.contentWindow.document.open();
iframe.contentWindow.document.write(YYY);
iframe.contentWindow.document.close();
不幸的是我不能使用 .js 文件,所以我希望有一种方法可以正确地替换标签
Unfortunately I can't use .js files, so I hope that there is a way to properly do the tags replace
推荐答案
但是如果我想用
<\/script>...
在下面的评论中,您说:
In a comment below, you've said:
我从一个总是改变的输入中获取 var XXX .. 我刚刚添加了一个定义的值 (var XXX='<html><head>...) 在我的问题中只是例如
I'm getting the
var XXXfrom an input that always changes.. I just added a defined value (var XXX='<html><head>...) in my question just for example
这与您的问题非常不同.如果您说您将在 XXX 字符串中接收输入,其内容(在内存中,而不是字符串文字)如下所示:
That's a very different thing than what's in your question. If you're saying that you'll receive input in the XXX string whose content (in memory, not a string literal) looks like this:
<html>
<head>
<script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"></script>
<script type="text/javascript">
$(window).load(function() {
function popo1() {
alert("ciaoooo!");
}
popo1();
$(".eccolo").html("<br><br><br><br>xD sygsyusgsuygsus ysg usygsuys");
});
</script>
</head>
<body>
<div class="eccolo"></div>
</body>
</html>
...then than input 非常好,可以按原样使用来设置 iframe 的内容.您不必对其进行替换.您链接到的帖子与您正在做的事情无关.
...then than input is perfectly fine and can be used as-is to set the content of the iframe. You don't have to do the replacement on it. The post you linked to doesn't relate to what you're doing.
但如果你说你会得到这样的输入:
But if you're saying you'll get input like this:
<html>
<head>
<script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.js"></script>
<script type="text/javascript">
$(window).load(function() {
var str = "The problem is here: </script>"; // <======
});
</script>
</head>
<body>
<div class="eccolo"></div>
</body>
</html>
...那么你和 HTML 解析器处于同样不幸的位置:你不知道子字符串 </script> 何时真正结束脚本元素,或者是其中的文本JavaScript 字符串文字(或注释).如果您有一个包含该内容的网页,HTML 解析器会在 问题出在这里: 之后立即得出结束脚本元素的结论.事实上,如果你通过 document.write 将该内容输出到一个 iframe,解析器将会阻塞它.行:
...then you're in the same unfortunate position as the HTML parser: You don't know when the substring </script> actually ends a script element, or is text within a JavaScript string literal (or a comment). If you had a web page with that content, the HTML parser would conclude the script element ended immediately after The problem is here:. And indeed, if you output that content to an iframe via document.write, the parser will choke on it. The line:
var str = "The problem is here: </script>";
必须
var str = "The problem is here: <\/script>";
// or
var str = "The problem is here: </sc" + "ript>";
// or similar
...以避免绊倒 HTML 解析器.(在 .js 文件中没问题,但这不是您的用例.)
...in order to avoid tripping up the HTML parser. (It would be fine in a .js file, but that's not your use case.)
从根本上说,如果您收到包含类似内容的输入,那么提供给您的人就是给您无效输入.子字符串 不能出现在 标签 —不在字符串文字中,不在注释中,无处可寻.
Fundamentally, if you're receiving input with something like that in it, the person giving it to you is giving you invalid input. The substring </script> cannot appear in JavaScript code within <script>/</script> tags — not in a string literal, not in a comment, nowhere.
规范定义的答案是:不要试图弄清楚,要求它是正确的.但是如果您知道脚本是 JavaScript,并且您真的希望允许无效输入并更正它,那么您将需要一个 JavaScript 解析器.这听起来很离谱,但 Esprima 就是这样,Meteor 的东西中有 jsparser,可能还有其他的.您将扫描您获得的字符串以找到 <script>,然后让 JavaScript 解析器接管并解析代码(您可能需要修改它以便它知道停止</script> 在字符串文字/注释之外).然后获取解析器消耗的文本,使用您的 replace 将代码文本中的任何 转换为 <\/script>代码>,然后继续.
The answer defined by the spec is: Don't try to figure it out, require that it be correct. But if you know the scripts are JavaScript, and you really really want to allow invalid input and correct it, you'll need a JavaScript parser. That sounds outrageous, but Esprima is exactly that, there's jsparser in the Meteor stuff, and there may be others. You'd scan the string you're given to find <script>, then let the JavaScript parser take over and parse the code (you'll probably need to modify it so it knows to stop in </script> outside of a string literal / comment). Then take the text consumed by the parser, use your replace to convert any </script> in the code's text to <\/script>, and continue on.
它非平凡,这就是规范不要求 HTML 解析器来做的原因.
It's non-trivial, which is why the spec doesn't require HTML parsers to do it.
但同样,如果输入与问题中的示例类似(没有使用反斜杠来避免字符串文字出现此问题),则根本不必执行 replace.把它输出到 iframe 就可以了.
But again, if the input is like your example in your question (without the backslashes you used to avoid this problem with your string literal), you don't have to do a replace at all. Just output it to the iframe, and it will work fine.
这篇关于document.write - 替换&quot;&lt;/script>&quot;带有“&lt;\/script>&"的标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
