在iframe / div中禁用JavaScript [英] Disable JavaScript in iframe/div

问题描述

我正在制作一个小的HTML页面编辑器。编辑器将文件加载到iframe中。从那里，它可以添加，修改或删除页面上具有新属性，样式等的元素。问题在于，JavaScript（和/或其他编程语言）可以在加载时完全修改页面，之后你开始编辑元素。因此，当您保存时，它不会保存原始标记，而是保存修改后的页面+您的更改。

I am making a small HTML page editor. The editor loads a file into an iframe. From there, it could add, modify, or delete the elements on the page with new attributes, styles, etc. The problem with this, is that JavaScript (and/or other programming languages) can completely modify the page when it loads, before you start editing the elements. So when you save, it won't save the original markup, but the modified page + your changes.

所以，我需要一些方法来禁用iframe上的JavaScript ，或者在JavaScript开始修改页面之前以某种方式删除所有JavaScript。 （我想我将不得不最终解析PHP的文件，但这不应该太难）我考虑编写一个脚本来遍历所有元素，删除任何标签，onclick，onfocus，onmouseover's等。但是这将是一个真正的痛苦。

So, I need some way to disable the JavaScript on the iframe, or somehow remove all the JavaScript before the JavaScript starts modifying the page. (I figure I'll have to end up parsing the file for PHP, but that shouldn't be too hard) I considered writing a script to loop through all the elements, removing any tags, onclick's, onfocus's, onmouseover's, etc. But that would be a real pain.

有没有人知道在iframe中运行JavaScript的更简单方法？

Does anyone know of an easier way to get rid of JavaScript from running inside an iframe?

更新：除非我错过了什么，我相信没有办法简单地禁用JavaScript。如果我错了，请纠正我。但是，我想唯一的方法是从请求的页面字符串中解析出任何脚本标记和JavaScript事件（点击，鼠标悬停等）。

UPDATE: unless I've missed something, I believe there is no way to simply 'disable JavaScript.' Please correct me if I'm wrong. But, I guess the only way to do it would be to parse out any script tags and JavaScript events (click, mouseover, etc) from a requested page string.

推荐答案

您可以尝试使用CKEditor采用的相同解决方案，您可以在其中获得演示此处。

通过从RTE模式切换到查看源模式，您可以输入一些JavaScript并查看结果，这是用安全编码的字符串替换JS节点。

如果您处于查看源模式，请输入以下JS线：

You can try the same solution adopted by CKEditor, of which you have a demo here.
By switching from RTE mode to view source mode, you can enter some JavaScript and see the result, which is a replacement of the JS node in a safely encoded string.
If you are in view source mode, by entering some JS line like:

<script type="text/javascript">
// comment
alert('Ciao');
</script>

回到富文本编辑器时，您会看到这种方式呈现模式：

you will see it rendered this way when going back to rich text editor mode:

<!--{cke_protected}%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0D%0A%2F%2F%20comment%0D%0Aalert('Ciao')%3B%0D%0A%3C%2Fscript%3E-->

我认为这是最简单有效的方法之一，因为解析JS节点的RegExp不是复杂。

一个例子：

I think it is one of the easiest and effective way, since the RegExp to parse JS nodes is not complex.
An example:

var pattern = /<script(\s+(\w+\s*=\s*("|').*?\3)\s*)*\s*(\/>|>.*?<\/script\s*>)/;
var match = HTMLString.match(pattern); // array containing the occurrences found

（当然，要替换脚本节点，你应该使用replace（）方法）。

(Of course, to replace the script node you should use the replace() method).

问候。

这篇关于在iframe / div中禁用JavaScript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！