在Javascript中防止HTML和脚本注入 [英] Preventing HTML and Script injections in Javascript
问题描述
现在这已经非常困难了找到一个明确的答案或我不会问,但你会怎么去输出这个字符串:
< script> ;警报( 你好)LT /脚本> < H1> Hello World< / h1>
既不执行脚本也不显示HTML元素?
我真正要问的是,如果在 Javascript 中有避免HTML和Script注入的标准方法。每个人似乎都有不同的做法(我使用jQuery,所以我知道我可以简单地将字符串输出到 text 元素而不是 html 元素,但这不是重点)。
您可以编码<
和>
到它们的HTML equivelant。
$ b
html = html .replace(/< / g,& lt;)。replace(/> / g,& gt;);
Assume I have a page with an input box. The user types something into the input box and hits a button. The button triggers a function that picks up the value typed into the text box and outputs it onto the page beneath the text box for whatever reason.
Now this has been disturbingly difficult to find a definitive answer on or I wouldn't be asking but how would you go about outputting this string:
<script>alert("hello")</script> <h1> Hello World </h1>
So that neither the script is executed nor the HTML element is displayed?
What I'm really asking here is if there is a standard method of avoiding both HTML and Script injection in Javascript. Everyone seems to have a different way of doing it (I'm using jQuery so I know I can simply output the string to the text element rather than the html element for instance, that's not the point though).
You can encode the <
and >
to their HTML equivelant.
html = html.replace(/</g, "<").replace(/>/g, ">");
How to display HTML tags as plain text
这篇关于在Javascript中防止HTML和脚本注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!