由JavaScript引擎认可HTML恩codeD字符串，怎么可能呢？ [英] HTML Encoded strings recognized by the javascript engine, how's it possible?

问题描述

嘛。这一夜是一个非常奇怪的夜晚给我。对不起，我要创造pviously创建其他两个问题$ P $后，一个新的问题，但这是另外一个说法的。如果我在这里得到一个答案，我会得到一个答案，这些问题也因此，请某人听我试着去理解。

Well. This night was a very strange night to me. I am sorry to create a new question after creating two other questions previously, but this is another argument at all. If I get an answer here, I'll get an answer to those questions too so please somebody listen to me and try to understand.

这一切都始于一个简单的脚本来通过一个aspx codebehind文件生成JS。
在控制，我不得不把一个JavaScript是这样的：

It all began with a simple script JS to be generated through an aspx codebehind file. On a control, I had to put a JavaScript in this way:

this.MyTxtBox.Attributes["onfocus"] = "windows.alert('Hello World!');";

确定。你可能会认为，这里的问题？问题是，ASP.NET 4.0连接codeS的一切，我说要在网站上进行，以避免XSS一切。嗯，这似乎不是一个问题，但如果你看一下所呈现的页面，你会做的椅子，像我一样在跳：

OK. You might think, where's the problem? The problem is that ASP.NET 4.0 encodes everything, and I say everything in order to avoid XSS to be performed on a site. Well this might not seem a problem but if you look at the rendered page you'll make a jump on the chair like I did:

<textarea id="..." onfocus="windows.alert(&#39;Hello World!&#39;);"></textarea>

正如你所看到的HTML，最终的HTML有点奇怪...... JavaScript引擎不应该接受这种情况。
于是我开始了这个问题：

As you can see the html, the final html is a bit odd... JavaScript engine should not accept this situation. So I started this questions:

<一个href=\"http://stackoverflow.com/questions/4411419/asp-net-quote-character-encoding-causes-problems-when-setting-a-controls-propert/\">ASP.NET设置控件的属性

Asp.Net编码配置

嗯，我还没有得到任何回答是的，我们不明白有必要在地狱中的.NET配置修改为了不让这种情况发生。

Well I still haven't got any answer YES we could not understand what the hell it is necessary to modify in the .net configuration in order not to let this situation happen.

但现在我考虑的一件事，一件重要的事情：JavaScript引擎的作品！
即便如此奇怪code，它不应该是跨preTED ...

But now I consider one thing, one important thing: JavaScript engine works! Even with that odd code that should not be interpreted...

我希望一切都清楚到现在......现在的问题来了：

I hope everything was clear until now... The question now comes:

这是为JavaScript引擎正常的情况？
是否每个浏览器将正确地跨preT报价有一个JavaScript替换为它们的EN codeD字符串？

Is this a normal situation for the JavaScript engine? Does every browser will correctly interpret a JavaScript having quotes replaced with their encoded strings?

如果这是真的，我必须假设.NET不提供一个机制，以避免编码只是为了这个原因！

If this is true I have to suppose that the .net does not provide a mechanism to avoid encoding just for this reason!

推荐答案

回复：

<textarea id="..." onfocus="windows.alert(&#39;Hello World!&#39;);"></textarea>

有什么奇怪的有关（比你使用其他 windows.alert 而不是 window.alert ）。它应该正常工作（并执行; 例如）。在 HTML 解析器解析HTML属性值，并处理加工实体，如＆放大器;＃39; 。 JavaScript源$ C ​​$ c将其手，最终与JavaScript之间的preTER将在它的报价。浏览器不用手文字字符＆安培; ＃3 9; 与JavaScript之间的preTER

There's nothing odd about that (other than your using windows.alert instead of window.alert). It should work fine (and does; example). The HTML parser parses HTML attribute values, and handles processing entities like '. The JavaScript source code it eventually hands to the JavaScript interpreter will have quotes in it. The browser doesn't hand the literal characters & # 3 9 ; to the JavaScript interpreter.

这只是一样的：

<input type='text' value="This is a &#39;funny&#39; value too">

HTML解析器处理实体，并分配给输入的实际值这是一个有趣的价值太。

顺便说一句，这也是为什么这个看似无辜的HTML实际上是错误的，将无法通过验证（虽然大多数浏览器将允许它）：

Incidentally, this is also why this seemingly-innocent HTML is actually wrong and will fail validation (although most browsers will allow it):

<a href='http://www.google.com/search?q=foo&hl=en'>Search for foo</a>

更准确一点，应该是：

More correctly, that should be:

<a href='http://www.google.com/search?q=foo&amp;hl=en'>Search for foo</a>
<!--                                       ^^^^^--- difference here   -->

......因为HTML解析器解析值，那么分配的解析<​​/ em>的结果到的href 属性。当然，一个＆安培; 引入了一个字符实体，因此从字面上获得＆安培; 您必须使用＆放大器;放大器; 到处都是HTML。 （同样，大多数浏览器会让你得逞的，如果接下来的＆放大器; 看起来并不像一个实体但可以和会咬你）

...because the HTML parser parses the value, then assigns the parsed result to the href attribute. And of course, an & introduces a character entity and so to literally get an & you must use & everywhere in HTML. (Again, most browsers will let you get away with it if what follows the & doesn't look like an entity. But that can and will bite you.)

这篇关于由JavaScript引擎认可HTML恩codeD字符串，怎么可能呢？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！