为什么这个字符串不会逃脱?

时间:2012-06-14 18:31:00

标签: javascript python html escaping web2py

我有一些带有onSubmit的HTML:

<form id="login_box" onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;">

问题在于,无论我做什么,它都不会逃避嵌套引号。我试过了:

<form id="login_box" onSubmit="alert('{{=T(\'Thank you for contacting us! We have received your email and will contact you shortly.\')}}'); this.submit(); this.reset(); return false;">

<form id="login_box" onSubmit="alert(\"{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}\"); this.submit(); this.reset(); return false;">

<form id="login_box" onSubmit=\"alert(\\"{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}\\"); this.submit(); this.reset(); return false;\">

即使我知道它也行不通,我能想到的任何其他组合。我没有尝试逃避嵌套引号。

4 个答案:

答案 0 :(得分:2)

我认为你在python中使用twig或任何类似的模板系统。

如果您要翻译{{=T('message to translate')}},只需将该字符串放入自定义attr。

实施例

<form id="login_box" msg="{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}" onSubmit="alert(this.getAttribute('msg')); this.submit(); this.reset(); return false;">

the example

:)

答案 1 :(得分:1)

假设这是在web2py模板中,您的原始代码:

onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;"

生成以下HTML:

onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;"

据我所知,在浏览器中工作正常。但是,如果要在警报中转义那些单引号,则可以执行以下操作:

onSubmit="alert({{="'%s'" % T('Thank you for contacting us! We have received your email and will contact you shortly.')}}); this.submit(); this.reset(); return false;"

将生成以下HTML:

onSubmit="alert(&#x27;Thank you for contacting us! We have received your email and will contact you shortly.&#x27;); this.submit(); this.reset(); return false;"

也可以在浏览器中使用。

{{ }}分隔符内的所有内容都是Python代码,将在服务器上执行并在写入响应之前进行转义。 {{ }}分隔符之外的所有内容都将按原样包含在响应中(即,web2py不会进行转义)。在原始代码中,警报中的单引号位于web2py模板分隔符之外,因此它们不会被web2py转义并按原样交付。这在web2py书的this section中进一步解释。

答案 2 :(得分:0)

在HTML属性中,某些字符("&)必须编码为HTML实体。在javascript字符串中,字符串分隔符(例如')必须使用反斜杠进行转义。这意味着你的第一个应该可以工作。

<form id="login_box" onSubmit="alert('{{=T(\'Thank you for contacting us! We have received your email and will contact you shortly.\')}}'); this.submit(); this.reset(); return false;">

点击它时,这应该提醒{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}。假设这是你想要的?

修改

{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}

将返回一个字符串,所以

<form id="login_box" onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;">

将成为

<form id="login_box" onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;">

在呈现的HTML中。这是对的。但是,你需要转义任何反斜杠,然后html实体编码T函数的输出(按此顺序)。

答案 3 :(得分:0)

对返回的值进行HTML编码,然后将其编码为JSON。