[HTML] Escape character character entity <; >: &;

Others 2020-09-14 20:35:57 views: null

In the development, the url obtained by javascript from the background will be escaped, such as: http://localhost:8080/Home/Index?a=14&b=15&c=123, I want to convert it to http:/ /localhost:8080/Home/Index?a=14&b=15&c=123

I found a solution for a long time online:

Escaping is divided into escapeHTML and unescapeHTML, let's look at the realization of the two functions first.

js code:

/**
 * @function escapeHTML 转义html脚本 < > & " '
 * @param a -
 *            字符串
 */
escapeHTML: function(a){
    a = "" + a;
    return a.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">").replace(/"/g, """).replace(/'/g, "&apos;");;
},
/**
 * @function unescapeHTML 还原html脚本 < > & " '
 * @param a -
 *            字符串
 */
unescapeHTML: function(a){
    a = "" + a;
    return a.replace(/</g, "<").replace(/>/g, ">").replace(/&/g, "&").replace(/"/g, '"').replace(/&apos;/g, "'");
},

1. EscapeHTML converts <> & "'into character entity 
usage scenarios: 
(1) The user enters in the page (such as an input box) <script>alert(2);</script>, js submits the content to the backend save 
(2) shows that the rear end of the string is returned distal end; after js received: 
A, using escapeHTML, will be converted to a string & lt; script & gt; alert (2); & lt; / script & gt; In this case, the browser It can be parsed correctly, because after the browser receives the entity characters, it turns into the corresponding angle brackets, etc. 
b. Without using escapeHTML, the browser thinks it is the beginning of the html tag when it sees <, and directly uses the string just now as a script Execution, this is the xss vulnerability. 

2. unescapeHTML converts character entities into <> & "' 
Usage scenario: The 
backend displays the escaped content to the page; for example, <script>alert(2);</ After script> 
js is received: 
a. If the front end performs unescapeHTML, you can directly operate the dom to display the label on the page. 
b. If there is no unescapeHTML on the front end, it will output <script>alert(2);</script> as it is, but it is not executed at this time. 

Escape character: 

Tip: The advantage of using physical names instead of numbers is that the names are easy to remember. But the disadvantage is that the browser may not support all entity names (the support for entity numbers is good).

Guess you like

Origin blog.csdn.net/u013066730/article/details/108358895
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com