I have a drop down on a web page which is breaking when the value string contains a quote.
我在web页面上有一个下拉菜单,当值字符串包含引号时,它就会崩溃。
The value is "asd but in the DOM always appears as an empty string.
该值是“asd,但在DOM中总是以空字符串出现”。
I have tried every way I know to escape the string properly but to no avail.
我用我所知道的每一种方法都试过正确地逃脱那根绳子,但没有用。
<option value=""asd">test</option>
<option value="\"asd">test</option>
<option value=""asd">test</option>
<option value=""asd">test</option>
Any idea how to render this on the page so the postback message contains the correct value?
您知道如何在页面上呈现此内容,以便回发消息包含正确的值吗?
5 个解决方案
#1
260
" is the correct way, the third of your tests:
“;是正确的方法,第三个测试:
<option value=""asd">test</option>
You can see this working below, or on jsFiddle.
您可以在下面看到这个工作,或者在jsFiddle。
alert($("option")[0].value);<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
<option value=""asd">Test</option>
</select>Alternatively, you can delimit the attribute value with single quotes:
或者,可以用单引号分隔属性值:
<option value='"asd'>test</option>
#2
9
If you are using PHP, try calling htmlentities or htmlspecialchars function.
如果您正在使用PHP,请尝试调用htmlentities或htmlspecialchars函数。
#3
5
Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:
另一个选择是用单引号替换双引号,如果你不介意的话。但是我没有提到这个
<option value='"asd'>test</option>
I mention this one:
我提到这个:
<option value="'asd">test</option>
In my case I used this solution.
在我的例子中,我用了这个解。
#4
5
Per HTML syntax, and even HTML5, the following are all valid options:
每个HTML语法,甚至HTML5,以下都是有效的选项:
<option value=""asd">test</option>
<option value=""asd">test</option>
<option value='"asd'>test</option>
<option value='"asd'>test</option>
<option value='"asd'>test</option>
<option value="asd>test</option>
<option value="asd>test</option>
Note that if you are using XML syntax the quotes (single or double) are required.
请注意,如果您使用的是XML语法,则需要使用引号(单引号或双引号)。
Here's a jsfiddle showing all of the above working.
下面是一个jsfiddle,它显示了上面的所有功能。
#5
1
You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
你真的应该只允许不可信的数据放入白名单的属性:对齐,alink,alt,背景,边境,单元格边距,单元格间距,类,颜色,关口,colspan,坐标,dir,脸,高度,水平间距,ismap,朗,marginheight,marginwidth,多个nohref,noresize,noshade,nowrap,} ref,rel,牧师,行,行宽,滚动、形状、跨度、总结,tabindex,标题,usemap,valign,价值,vlink vspace、宽度
You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).
您确实希望将不受信任的数据排除在javascript处理程序以及id或名称属性之外(它们可能会破坏DOM中的其他元素)。
Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.
此外,如果您将不可信数据放入SRC或HREF属性,那么它实际上是一个不可信的URL,因此您应该验证该URL,确保它不是一个javascript: URL,然后是HTML实体编码。
More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
这里有更多的细节:https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
#1
260
" is the correct way, the third of your tests:
“;是正确的方法,第三个测试:
<option value=""asd">test</option>
You can see this working below, or on jsFiddle.
您可以在下面看到这个工作,或者在jsFiddle。
alert($("option")[0].value);<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
<option value=""asd">Test</option>
</select>Alternatively, you can delimit the attribute value with single quotes:
或者,可以用单引号分隔属性值:
<option value='"asd'>test</option>
#2
9
If you are using PHP, try calling htmlentities or htmlspecialchars function.
如果您正在使用PHP,请尝试调用htmlentities或htmlspecialchars函数。
#3
5
Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:
另一个选择是用单引号替换双引号,如果你不介意的话。但是我没有提到这个
<option value='"asd'>test</option>
I mention this one:
我提到这个:
<option value="'asd">test</option>
In my case I used this solution.
在我的例子中,我用了这个解。
#4
5
Per HTML syntax, and even HTML5, the following are all valid options:
每个HTML语法,甚至HTML5,以下都是有效的选项:
<option value=""asd">test</option>
<option value=""asd">test</option>
<option value='"asd'>test</option>
<option value='"asd'>test</option>
<option value='"asd'>test</option>
<option value="asd>test</option>
<option value="asd>test</option>
Note that if you are using XML syntax the quotes (single or double) are required.
请注意,如果您使用的是XML语法,则需要使用引号(单引号或双引号)。
Here's a jsfiddle showing all of the above working.
下面是一个jsfiddle,它显示了上面的所有功能。
#5
1
You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
你真的应该只允许不可信的数据放入白名单的属性:对齐,alink,alt,背景,边境,单元格边距,单元格间距,类,颜色,关口,colspan,坐标,dir,脸,高度,水平间距,ismap,朗,marginheight,marginwidth,多个nohref,noresize,noshade,nowrap,} ref,rel,牧师,行,行宽,滚动、形状、跨度、总结,tabindex,标题,usemap,valign,价值,vlink vspace、宽度
You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).
您确实希望将不受信任的数据排除在javascript处理程序以及id或名称属性之外(它们可能会破坏DOM中的其他元素)。
Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.
此外,如果您将不可信数据放入SRC或HREF属性,那么它实际上是一个不可信的URL,因此您应该验证该URL,确保它不是一个javascript: URL,然后是HTML实体编码。
More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
这里有更多的细节:https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet