将html附加到jQuery元素,而不在html中运行脚本 [英] Append html to jQuery element without running scripts inside the html
问题描述
当使用.append()将html包装在div中时,代码中的所有脚本元素都将被评估,运行(请参阅此SO答案,以了解为什么会发生这种情况)。我不想要这个,我只是希望他们被删除,但我可以稍后自己处理,只要它们不运行。
我正在使用这个代码:
var wrapper = $('< div />')。append($(html));
我以这种方式改为:
var wrapper = $('< div>'+ html +'< / div>');
但是,只是在append()函数修复的IE中显示访问被拒绝错误看到上面提到的答案)。
我想我可以重写代码,不需要围绕HTML的包装,但我不确定,我我想知道是否可以在没有运行脚本的情况下附加html。
我的问题:
-
如何在一个未知的html
中包装,而不在其内部运行脚本,
最好将其完全删除? -
我应该将jQuery从窗口
中删除,并用纯JavaScript和
DOM操作来代替?有帮助吗?
我不想做的是:
$ b $我不想在客户端放一些安全层。我非常清楚,这将是毫无意义的。
更新:James的建议
詹姆斯建议我应该过滤出脚本元素,但是看这两个例子(原来的第一个和James的建议):
jQuery < p />)。append(< br /> hello< script type ='text / javascript'> console.log('gnu!');< / script> there b $ b
保留文本节点,但写入gnu!
jQuery(< p />)。append(jQuery(< br /> hello< script type ='text / javascript'> console.log gnu!');< / script> there)。not('script'))
不写gnu !,而且也会丢失文本节点。
更新2:
更新了他的答案,我已经接受了。
首先删除脚本如何?
var wrapper = $('< div />')。append($(html).not('script'));
- 创建div容器
- 使用简单的JS将html放入div
- 删除div中的所有脚本元素
假设html中的脚本元素不嵌套在其他元素中:
var wrapper = document.createElement('div');
wrapper.innerHTML = html;
$(wrapper).children()。remove('script');
var wrapper = document.createElement('div');
wrapper.innerHTML = html;
$(wrapper).find('script')。remove();
这个工作适用于html只是文本,html在任何元素之外都有文本的情况。 p>
I have written some code that takes a string of html and cleans away any ugly HTML from it using jQuery (see an early prototype in this SO question). It works pretty well, but I stumbled on an issue:
When using .append() to wrap the html in a div, all script elements in the code are evaluated and run (see this SO answer for an explanation why this happens). I don't want this, I really just want them to be removed, but I can handle that later myself as long as they are not run.
I am using this code:
var wrapper = $('<div/>').append($(html));
I tried to do it this way instead:
var wrapper = $('<div>' + html + '</div>');
But that just brings forth the "Access denied" error in IE that the append() function fixes (see the answer I referenced above).
I think I might be able to rewrite my code to not require a wrapper around the html, but I am not sure, and I'd like to know if it is possible to append html without running scripts in it, anyway.
My questions:
How do I wrap a piece of unknown html without running scripts inside it, preferably removing them altogether?
Should I throw jQuery out the window and do this with plain JavaScript and DOM manipulation instead? Would that help?
What I am not trying to do:
I am not trying to put some kind of security layer on the client side. I am very much aware that it would be pointless.
Update: James' suggestion
James suggested that I should filter out the script elements, but look at these two examples (the original first and the James' suggestion):
jQuery("<p/>").append("<br/>hello<script type='text/javascript'>console.log('gnu!'); </script>there")
keeps the text nodes but writes gnu!
jQuery("<p/>").append(jQuery("<br/>hello<script type='text/javascript'>console.log('gnu!'); </script>there").not('script'))`
Doesn't write gnu!, but also loses the text nodes.
Update 2:
James has updated his answer and I have accepted it. See my latest comment to his answer, though.
How about removing the scripts first?
var wrapper = $('<div/>').append($(html).not('script'));
- Create the div container
- Use plain JS to put html into div
- Remove all script elements in the div
Assuming script elements in the html are not nested in other elements:
var wrapper = document.createElement('div');
wrapper.innerHTML = html;
$(wrapper).children().remove('script');
var wrapper = document.createElement('div');
wrapper.innerHTML = html;
$(wrapper).find('script').remove();
This works for the case where html is just text and where html has text outside any elements.
这篇关于将html附加到jQuery元素,而不在html中运行脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!