我创建了一个脚本,用于尝试删除不安全的内容(我将其用于浏览器扩展):
var str = "<strong>Hello</strong> mundo <script src="http://site/badscript.js"></script>";
CreateDOM(str);
function RemoveAttrs(target)
{
var attrs = target.attributes, currentAttr;
var validAttrs = [ "href", "class", "id", "target" ];
for (var i = attrs.length - 1; i >= 0; i--) {
currentAttr = attrs[i].name;
if (attrs[i].specified && validAttrs.indexOf(currentAttr) === -1) {
target.removeAttribute(currentAttr);
}
if (
currentAttr === "href" &&
/^(#|javascript[:])/gi.test(target.getAttribute("href"))
) {
target.parentNode.removeChild(currentAttr);
}
}
}
function RemoveEls(target)
{
var current;
//Remove elements insecure (blacklist)
var list = target.querySelectorAll("script,link,...");
for (var i = …我有一个简单的字符串是
Company's
现在我有一些提交表单时运行的javascript
var jsCompanyName = '@Model.Name';
var unescapedCompanyName = unescape(jsCompanyName);
$('.selector-input').val(unescapedCompanyName);
$('.selector-input-id').val('@Model.Id');
经过调试人员的思考,即使使用了unescape函数,我的var unescapedCompanyName仍然是“ Company's”,是否有人对为什么不删除'并用'