如何在html属性中正确地转义引号?

时间:2021-08-21 22:29:21

I have a drop down on a web page which is breaking when the value string contains a quote.

我在web页面上有一个下拉菜单,当值字符串包含引号时,它就会崩溃。

The value is "asd but in the DOM always appears as an empty string.

该值是“asd,但在DOM中总是以空字符串出现”。

I have tried every way I know to escape the string properly but to no avail.

我用我所知道的每一种方法都试过正确地逃脱那根绳子,但没有用。

<option value=""asd">test</option>
<option value="\"asd">test</option>
<option value="&quot;asd">test</option>
<option value="&#34;asd">test</option>

Any idea how to render this on the page so the postback message contains the correct value?

您知道如何在页面上呈现此内容,以便回发消息包含正确的值吗?

5 个解决方案

#1


260  

&quot; is the correct way, the third of your tests:

“;是正确的方法,第三个测试:

<option value="&quot;asd">test</option>

You can see this working below, or on jsFiddle.

您可以在下面看到这个工作,或者在jsFiddle。

alert($("option")[0].value);
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
  <option value="&quot;asd">Test</option>
</select>

Alternatively, you can delimit the attribute value with single quotes:

或者,可以用单引号分隔属性值:

<option value='"asd'>test</option>

#2


9  

If you are using PHP, try calling htmlentities or htmlspecialchars function.

如果您正在使用PHP,请尝试调用htmlentities或htmlspecialchars函数。

#3


5  

Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:

另一个选择是用单引号替换双引号,如果你不介意的话。但是我没有提到这个

<option value='"asd'>test</option>

I mention this one:

我提到这个:

<option value="'asd">test</option>

In my case I used this solution.

在我的例子中,我用了这个解。

#4


5  

Per HTML syntax, and even HTML5, the following are all valid options:

每个HTML语法,甚至HTML5,以下都是有效的选项:

<option value="&quot;asd">test</option>
<option value="&#34;asd">test</option>
<option value='"asd'>test</option>
<option value='&quot;asd'>test</option>
<option value='&#34;asd'>test</option>
<option value=&quot;asd>test</option>
<option value=&#34;asd>test</option>

Note that if you are using XML syntax the quotes (single or double) are required.

请注意,如果您使用的是XML语法,则需要使用引号(单引号或双引号)。

Here's a jsfiddle showing all of the above working.

下面是一个jsfiddle,它显示了上面的所有功能。

#5


1  

You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

你真的应该只允许不可信的数据放入白名单的属性:对齐,alink,alt,背景,边境,单元格边距,单元格间距,类,颜色,关口,colspan,坐标,dir,脸,高度,水平间距,ismap,朗,marginheight,marginwidth,多个nohref,noresize,noshade,nowrap,} ref,rel,牧师,行,行宽,滚动、形状、跨度、总结,tabindex,标题,usemap,valign,价值,vlink vspace、宽度

You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).

您确实希望将不受信任的数据排除在javascript处理程序以及id或名称属性之外(它们可能会破坏DOM中的其他元素)。

Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.

此外,如果您将不可信数据放入SRC或HREF属性,那么它实际上是一个不可信的URL,因此您应该验证该URL,确保它不是一个javascript: URL,然后是HTML实体编码。

More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet

这里有更多的细节:https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet

#1


260  

&quot; is the correct way, the third of your tests:

“;是正确的方法,第三个测试:

<option value="&quot;asd">test</option>

You can see this working below, or on jsFiddle.

您可以在下面看到这个工作,或者在jsFiddle。

alert($("option")[0].value);
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
  <option value="&quot;asd">Test</option>
</select>

Alternatively, you can delimit the attribute value with single quotes:

或者,可以用单引号分隔属性值:

<option value='"asd'>test</option>

#2


9  

If you are using PHP, try calling htmlentities or htmlspecialchars function.

如果您正在使用PHP,请尝试调用htmlentities或htmlspecialchars函数。

#3


5  

Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:

另一个选择是用单引号替换双引号,如果你不介意的话。但是我没有提到这个

<option value='"asd'>test</option>

I mention this one:

我提到这个:

<option value="'asd">test</option>

In my case I used this solution.

在我的例子中,我用了这个解。

#4


5  

Per HTML syntax, and even HTML5, the following are all valid options:

每个HTML语法,甚至HTML5,以下都是有效的选项:

<option value="&quot;asd">test</option>
<option value="&#34;asd">test</option>
<option value='"asd'>test</option>
<option value='&quot;asd'>test</option>
<option value='&#34;asd'>test</option>
<option value=&quot;asd>test</option>
<option value=&#34;asd>test</option>

Note that if you are using XML syntax the quotes (single or double) are required.

请注意,如果您使用的是XML语法,则需要使用引号(单引号或双引号)。

Here's a jsfiddle showing all of the above working.

下面是一个jsfiddle,它显示了上面的所有功能。

#5


1  

You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

你真的应该只允许不可信的数据放入白名单的属性:对齐,alink,alt,背景,边境,单元格边距,单元格间距,类,颜色,关口,colspan,坐标,dir,脸,高度,水平间距,ismap,朗,marginheight,marginwidth,多个nohref,noresize,noshade,nowrap,} ref,rel,牧师,行,行宽,滚动、形状、跨度、总结,tabindex,标题,usemap,valign,价值,vlink vspace、宽度

You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).

您确实希望将不受信任的数据排除在javascript处理程序以及id或名称属性之外(它们可能会破坏DOM中的其他元素)。

Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.

此外,如果您将不可信数据放入SRC或HREF属性,那么它实际上是一个不可信的URL,因此您应该验证该URL,确保它不是一个javascript: URL,然后是HTML实体编码。

More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet

这里有更多的细节:https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet