发表新帖
发表新帖

Dynamically changing the HTML of a div with jQuery is causing HTML encoding to be lost

后端 未结
关注
4 1773
栀梦
栀梦 2021-01-28 14:20

I have a piece of code which dynamically alters the HTML of a div called \'accordion\' on the fly like so:

// htmlstring contains some HTML containing some HTML
4条回答
  • 天涯浪人
    天涯浪人 (楼主)
    2021-01-28 15:10

    Try using the javascript escape \'

    Here's an excerpt from the jQuery docs that explains why your HTML escape character is being rendered:

    By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example, ). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.

    0 讨论(0)
 看不清?
提交回复
热议问题