浏览器解析HTML jQuery的无负载的资源 [英] Browser parse HTML for jQuery without loading resources
问题描述
是否有可能通过JavaScript为HTML传递到浏览器,并使用jQuery解析它,但不能加载外部资源? (脚本,图片,Flash,任何东西)
我会做的XML解析器,如果这是我能做的最好的,但我想,让松散的HTML如果可能的话。
它必须使用Chrome,火狐,最新的IE浏览器兼容。
VAR HTML = someHTML; //在HTML过去了,也许$('#textarea的ID)。VAL();?我不明白你说'在HTML传递是什么意思
VAR容器=使用document.createElement('DIV');
container.innerHTML = HTML;
$(集装箱).find('IMG,嵌入,头,脚本,样式')删除()。
//要么
$(集装箱).find([来源]')删除()。VAR的目标= someTarget; //地方把解析的HTML
$(集装箱).appendTo($(目标));
修改
测试工作
removeExt =功能(cleanMe){
变种toScrutinize = $(cleanMe).find('*'); //获取所有的元素
$。每个(toScrutinize,函数(){
VAR ATTR = $(本)[0] .attributes; //获得所有属性
VAR的= $(本);
$。每个(ATTR,函数(){
如果($(这).attr(this.nodeName).match(/ ^ HTTP /)){//如果属性值外部链接
$(即)上卸下摆臂(); //...把它拿出来
}
})
})
$('脚本')删除()。 //还拿出任何内嵌脚本
}VAR HTML = someHTML;
VAR容器=使用document.createElement('DIV');
container.innerHTML = HTML;
removeExt($(容器));
VAR的目标= someTarget;
$(集装箱).appendTo($(目标));
这将匹配的src中,href,链接,数据富,什么...没办法外部链接。 http和https都匹配。内嵌脚本被杀害。如果它仍然是一个安全问题,那么也许应该是这样的服务器端,或混淆您的JS。
Is it possible to pass HTML to a browser through JavaScript and parse it with jQuery, but not load external resources? (scripts, images, flash, anything)
I will do with the XML parser if that is the best I can do, but I would like to allow loose HTML if possible.
It must be compatible with Chrome, Firefox, the latest IE.
var html = someHTML; //passed in html, maybe $('textarea#id').val();? I don't understand what you mean by 'passed in html'
var container = document.createElement('div');
container.innerHTML = html;
$(container).find('img,embed,head,script,style').remove();
//or
$(container).find('[src]').remove();
var target = someTarget; //place to put parsed html
$(container).appendTo($(target));
EDIT
Tested working
removeExt = function(cleanMe) {
var toScrutinize = $(cleanMe).find('*'); //get ALL elements
$.each(toScrutinize, function() {
var attr = $(this)[0].attributes; //get all the attributes
var that = $(this);
$.each(attr, function(){
if ($(that).attr(this.nodeName).match(/^http/)) {//if the attribute value links externally
$(that).remove(); //...take it out
}
})
})
$('script').remove(); //also take out any inline scripts
}
var html = someHTML;
var container = document.createElement('div');
container.innerHTML = html;
removeExt($(container));
var target = someTarget;
$(container).appendTo($(target));
This will match src, href, link, data-foo, whatever... No way to link externally. http and https are both matched. inline scripts are killed. If it's still a security concern, then maybe this should be done server side, or obfuscate your JS.
这篇关于浏览器解析HTML jQuery的无负载的资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!