发表新帖
发表新帖

HtmlSpecialChars equivalent in Javascript?

后端 未结
关注
16 1524
耶瑟儿~
耶瑟儿~ 2020-11-22 06:00

Apparently, this is harder to find than I thought it would be. And it even is so simple...

Is there a function equivalent to PHP\'s htmlspecialchars built into Javas

相关标签:
16条回答
  • 走了就别回头了
    2020-11-22 06:35

    Underscore.js provides a function for this:

    _.escape(string)

    Escapes a string for insertion into HTML, replacing &, <, >, ", and ' characters.

    http://underscorejs.org/#escape

    It's not a built-in Javascript function, but if you are already using Underscore it is a better alternative than writing your own function if your strings to convert are not too large.

    0 讨论(0)
  • 没有蜡笔的小新
    2020-11-22 06:36

    With jQuery it can be like this:

    var escapedValue = $('<div/>').text(value).html();

    From related question Escaping HTML strings with jQuery

    As mentioned in comment double quotes and single quotes are left as-is for this implementation. That means this solution should not be used if you need to make element attribute as a raw html string.

    0 讨论(0)
  • 傲寒
    2020-11-22 06:36

    Hope this wins the race due to its performance and most important not a chained logic using .replace('&','&').replace('<','<')...

    var mapObj = {
   '&':"&amp;",
   '<':"&lt;",
   '>':"&gt;",
   '"':"&quot;",
   '\'':"&#039;"
};
var re = new RegExp(Object.keys(mapObj).join("|"),"gi");

function escapeHtml(str) 
{   
    return str.replace(re, function(matched)
    {
        return mapObj[matched.toLowerCase()];
    });
}

console.log('<script type="text/javascript">alert('Hello World');</script>');
console.log(escapeHtml('<script type="text/javascript">alert('Hello World');</script>'));
    0 讨论(0)
  • 后悔当初
    2020-11-22 06:40

    OWASP recommends that "[e]xcept for alphanumeric characters, [you should] escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of [an] attribute."

    So here's a function that does that, with a usage example:

    function escapeHTML(unsafe) {
  return unsafe.replace(
    /[\u0000-\u002F]|[\u003A-\u0040]|[\u005B-\u00FF]/g,
    c => '&#' + ('000' + c.charCodeAt(0)).substr(-4, 4) + ';'
  )
}
document.querySelector('div').innerHTML =
  '<span class=' +
  escapeHTML('this should break it! " | / % * + , - / ; < = > ^') +
  '>' +
  escapeHTML('<script>alert("inspect the attributes")\u003C/script>') +
  '</span>'
    <div></div>

    Disclaimer: You should verify the entity ranges I have provided to validate the safety yourself.

    0 讨论(0)
 看不清?
提交回复
热议问题