做jQuery的val（）和prop（）方法html-escape值？ [英] Do jQuery's val() and prop() methods html-escape values?

问题描述

在 val（） 和 prop（） 并转义。

I can't find anything in the documentation about val() and prop() and escaping.

它们是用作设置器时转义的值？

Are they intended to escape values when used as setters?

推荐答案

不是真的 .val（）用于设置表单字段的值属性，因此，转义不是真的需要。您将通过DOM设置值，因此不像您通过字符串连接构建HTML。另一方面， .prop（）甚至没有与DOM属性进行交互 - 只是DOM属性，因此您不需要处理HTML转义它们。

Not really. .val() is used to set a form field's value attribute, so escaping isn't really necessary there. You'll be setting the value via the DOM, so it's not like you're constructing HTML through string concatenation. .prop(), on the other hand, doesn't even interact with attributes at all - just DOM properties, so you don't need to working about HTML escaping their either.

编辑：为了澄清，我假设你问这个是因为你是关注 .prop（）或 .val（）作为XSS攻击向量（或只是一个机会拍摄自己在脚下）？如果是这种情况，您需要记住，通过DOM设置属性和属性时，您设置的值基本上会与您正在交互的属性或值进行沙盒化。例如，给出以下内容：

for the sake of clarification, I'm assuming that you're asking this because you're concerned about .prop() or .val() as an XSS attack vector (or just an opportunity to shoot yourself in the foot)? If that's the case, you need to remember that when setting attributes and properties via the DOM, the values that you set are essentially sandboxed to the attribute or value you were interacting with. For example, given the following:

<div id="foo"></div>

您尝试滥用某个属性值，例如：

And you attempted to abuse an attribute value, such as:

$('#foo').attr('rel', '"></div><script>alert("bang");</script><div rel="');

您可能会担心这会导致如下所示：

You might be concerned that this would result in something like the following:

<div id="foo" rel=""></div><script>alert("bang");</script><div rel=""></div>

尽管如此，这永远不会发生。您将确实有一个 rel 属性，其恶意字符串作为其值，但不会创建新的标记或DOM节点。字符串本身不会被转义 - 它只是不被解释为标记。这只是一个字符串，就是这样。

This will never happen, though. You will indeed have a rel attribute with the evil-looking string as its value, but no new markup or DOM nodes will be created. The string itself isn't escaped - it's just simply not interpreted as markup. It's just a string and that's it.

这篇关于做jQuery的val（）和prop（）方法html-escape值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！