I am having trouble understanding how escaping works inside html tag attribute values that are javascript.
我无法理解如何在html标记属性值(javascript)中进行转义。
I was lead to believe that you should always escape & ' " < > . So for javascript as an attribute value I tried:
我一直相信你应该总是逃避&'“<>。所以对于javascript作为属性值,我试过:
<a href="javascript:alert('Hello');"></a>
It doesn't work. However:
它不起作用。然而:
<a href="javascript:alert('Hello');"></a>
and
<a href="javascript:alert('Hello');"></a>
does work in all browsers!
适用于所有浏览器!
Now I am totally confused. If all my attribute values are enclosed in double quotes, does this mean I do not have to escape single quotes? Or is apos and ascii 39 technically different characters? Such that javascript requires ascii 39, but not apos?
现在我完全糊涂了。如果我的所有属性值都用双引号括起来,这是否意味着我不必转义单引号?或者是as和ascii 39技术上不同的角色?这样的javascript需要ascii 39,但不是吗?
3 个解决方案
#1
27
There are two types of “escapes” involved here, HTML and JavaScript. When interpreting an HTML document, the HTML escapes are parsed first.
这里涉及两种类型的“转义”,HTML和JavaScript。解释HTML文档时,首先解析HTML转义。
As far as HTML is considered, the rules within an attribute value are the same as elsewhere plus one additional rule:
就HTML而言,属性值中的规则与其他地方的规则相同,另外还有一条规则:
- The less-than character
<
should be escaped. Usually<
is used for this. Technically, depending on HTML version, escaping is not always required, but it has always been good practice. - The ampersand
&
should be escaped. Usually&
is used for this. This, too, is not always obligatory, but it is simpler to do it always than to learn and remember when it is required. - The character that is used as delimiters around the attribute value must be escaped inside it. If you use the Ascii quotation mark
"
as delimiter, it is customary to escape its occurrences using"
whereas for the Ascii apostrophe, the entity reference'
is defined in some HTML versions only, so it it safest to use the numeric reference'
(or'
).
应该转义小于字符<。通常<用于此。从技术上讲,根据HTML版本,并不总是需要转义,但它始终是良好的做法。
&符号应该逃脱。通常&用于此。这也并非总是强制性的,但总是要比在需要时学习和记忆更简单。
用作属性值周围分隔符的字符必须在其中进行转义。如果使用Ascii引号“作为分隔符,则习惯使用”转义其出现次数,而对于Ascii撇号,实体引用仅在某些HTML版本中定义,因此最安全的是使用数字引用' (或')。
You can escape >
(or any other data character) if you like, but it is never needed.
如果您愿意,可以转义>(或任何其他数据字符),但从不需要它。
On the JavaScript side, there are some escape mechanisms (with \
) in string literals. But these are a different issue, and not relevant in your case.
在JavaScript方面,字符串文字中有一些转义机制(带\)。但这些是一个不同的问题,与您的情况无关。
In your example, on a browser that conforms to current specifications, the JavaScript interpreter sees exactly the same code alert('Hello');
. The browser has “unescaped” '
or '
to '
. I was somewhat surprised to here that '
is not universally supported these days, but it’s not an issue: there is seldom any need to escape the Ascii apostrophe in HTML (escaping is only needed within attribute values and only if you use the Ascii apostrophe as its delimiter), and when there is, you can use the '
reference.
在您的示例中,在符合当前规范的浏览器上,JavaScript解释器会看到完全相同的代码警报('Hello');.浏览器具有“未转义”状态。或者 '。我对此感到有些惊讶。这些天并不普遍支持,但它不是一个问题:很少有任何需要在HTML中转义Ascii撇号(仅在属性值中需要转义,并且只有在使用Ascii撇号作为其分隔符时),并且当有,你可以使用'参考。
#2
2
'
is not a valid HTML reference entity. You should escape using '
者;不是有效的HTML引用实体。你应该逃避使用'
#3
-2
You are correct that you do not have to escape single quotes if your tag is enclosed in double quotes. When I do code javascript into tags (which is rare anymore with jQuery) the only character that I escape is the double quote, browsers handle the rest just fine.
你是正确的,如果你的标签用双引号括起来,你不必转义单引号。当我将javascript编码到标签中时(使用jQuery很少见)我逃脱的唯一字符是双引号,浏览器处理剩下的就好了。
#1
27
There are two types of “escapes” involved here, HTML and JavaScript. When interpreting an HTML document, the HTML escapes are parsed first.
这里涉及两种类型的“转义”,HTML和JavaScript。解释HTML文档时,首先解析HTML转义。
As far as HTML is considered, the rules within an attribute value are the same as elsewhere plus one additional rule:
就HTML而言,属性值中的规则与其他地方的规则相同,另外还有一条规则:
- The less-than character
<
should be escaped. Usually<
is used for this. Technically, depending on HTML version, escaping is not always required, but it has always been good practice. - The ampersand
&
should be escaped. Usually&
is used for this. This, too, is not always obligatory, but it is simpler to do it always than to learn and remember when it is required. - The character that is used as delimiters around the attribute value must be escaped inside it. If you use the Ascii quotation mark
"
as delimiter, it is customary to escape its occurrences using"
whereas for the Ascii apostrophe, the entity reference'
is defined in some HTML versions only, so it it safest to use the numeric reference'
(or'
).
应该转义小于字符<。通常<用于此。从技术上讲,根据HTML版本,并不总是需要转义,但它始终是良好的做法。
&符号应该逃脱。通常&用于此。这也并非总是强制性的,但总是要比在需要时学习和记忆更简单。
用作属性值周围分隔符的字符必须在其中进行转义。如果使用Ascii引号“作为分隔符,则习惯使用”转义其出现次数,而对于Ascii撇号,实体引用仅在某些HTML版本中定义,因此最安全的是使用数字引用' (或')。
You can escape >
(or any other data character) if you like, but it is never needed.
如果您愿意,可以转义>(或任何其他数据字符),但从不需要它。
On the JavaScript side, there are some escape mechanisms (with \
) in string literals. But these are a different issue, and not relevant in your case.
在JavaScript方面,字符串文字中有一些转义机制(带\)。但这些是一个不同的问题,与您的情况无关。
In your example, on a browser that conforms to current specifications, the JavaScript interpreter sees exactly the same code alert('Hello');
. The browser has “unescaped” '
or '
to '
. I was somewhat surprised to here that '
is not universally supported these days, but it’s not an issue: there is seldom any need to escape the Ascii apostrophe in HTML (escaping is only needed within attribute values and only if you use the Ascii apostrophe as its delimiter), and when there is, you can use the '
reference.
在您的示例中,在符合当前规范的浏览器上,JavaScript解释器会看到完全相同的代码警报('Hello');.浏览器具有“未转义”状态。或者 '。我对此感到有些惊讶。这些天并不普遍支持,但它不是一个问题:很少有任何需要在HTML中转义Ascii撇号(仅在属性值中需要转义,并且只有在使用Ascii撇号作为其分隔符时),并且当有,你可以使用'参考。
#2
2
'
is not a valid HTML reference entity. You should escape using '
者;不是有效的HTML引用实体。你应该逃避使用'
#3
-2
You are correct that you do not have to escape single quotes if your tag is enclosed in double quotes. When I do code javascript into tags (which is rare anymore with jQuery) the only character that I escape is the double quote, browsers handle the rest just fine.
你是正确的,如果你的标签用双引号括起来,你不必转义单引号。当我将javascript编码到标签中时(使用jQuery很少见)我逃脱的唯一字符是双引号,浏览器处理剩下的就好了。