破坏脚本的字符无效

时间:2013-09-17 07:45:12

标签: c# javascript apostrophe asp.net-1.1 invalid-characters

我正在使用此代码创建一个javascript代码字符串,并从后面的C#代码运行它们。

它对于正常值工作正常,但在值中存在'(撇号)时断开。

StringBuilder sb = new StringBuilder();
sb.Append("<script>");

// Store transmission chrome feature.
for(int i=0; i < Transmission.Length; i++)
{
    sb.Append("var obj = {text: '" + Transmission[i][0] + "',"  
                                        + "value: '" + Transmission[i][1] +"'};");
    sb.Append("transChromeData.push(obj);");
}

sb.Append("</" + "script>");
this.RegisterStartupScript("Info", sb.ToString());

3 个答案:

答案 0 :(得分:0)

如果有人添加\作为值,它也会中断。您需要转义会破坏Javascript字符串的字符 - HttpUtility.JavaScriptStringEncode将为您执行此操作:

StringBuilder sb = new StringBuilder();
sb.Append("<script>");

// Store transmission chrome feature.
for(int i=0; i < Transmission.Length; i++)
{
    sb.Append("var obj = {text: '" + HttpUtility.JavaScriptStringEncode(Transmission[i][0]) + "',"  
                                        + "value: '" + HttpUtility.JavaScriptStringEncode(Transmission[i][2]) +"'};");
    sb.Append("transChromeData.push(obj);");
}

sb.Append("</" + "script>");
this.RegisterStartupScript("Info", sb.ToString());

对于过时的.NET版本,您需要自己动手。 Rick Strahl有good implementation,涵盖了不同的JS角色:

public static string EncodeJsString(string s)
{
    StringBuilder sb = new StringBuilder();
    sb.Append("\"");
    foreach (char c in s)
    {
        switch (c)
        {
            case '\"':
                sb.Append("\\\"");
                break;
            case '\\':
                sb.Append("\\\\");
                break;
            case '\b':
                sb.Append("\\b");
                break;
            case '\f':
                sb.Append("\\f");
                break;
            case '\n':
                sb.Append("\\n");
                break;
            case '\r':
                sb.Append("\\r");
                break;
            case '\t':
                sb.Append("\\t");
                break;
            default:
                int i = (int)c;
                if (i < 32 || i > 127)
                {
                    sb.AppendFormat("\\u{0:X04}", i);
                }
                else
                {
                    sb.Append(c);
                }
                break;
        }
    }
    sb.Append("\"");

    return sb.ToString();
}

答案 1 :(得分:0)

使用Microsoft JScript转义功能

Microsoft.JScript.GlobalObject.escape("String to escape");
编辑

以下的

StringBuilder sb = new StringBuilder();
sb.Append("<script>");

// Store transmission chrome feature.
for(int i=0; i < Transmission.Length; i++)
{
    sb.Append("var obj = {text: '" + Microsoft.JScript.GlobalObject.escape(Transmission[i][0]) + "',"  
                                        + "value: '" + Microsoft.JScript.GlobalObject.escape(Transmission[i][1]) +"'};");
    sb.Append("transChromeData.push(obj);");
}

sb.Append("</" + "script>");
this.RegisterStartupScript("Info", sb.ToString());

或者你可以使用

HttpUtility.UrlDecode

但不安全

在asp.net 1.1上尝试使用此处建议的代码 http://www.west-wind.com/weblog/posts/2007/Jul/14/Embedding-JavaScript-Strings-from-an-ASPNET-Page

答案 2 :(得分:0)

试试这个:

StringBuilder sb = new StringBuilder();
sb.Append("<script>");

// Store transmission chrome feature.
for (int i = 0; i < Transmission.Length; i++)
{
    sb.Append("var obj = {text: '")
        .Append(Escape(Transmission[i][0]))
        .Append("',")
        .Append("value: '")
        .Append(Escape(Transmission[i][1]))
        .Append("'};")
        .Append("transChromeData.push(obj);");
}

sb.Append("</script>");
this.RegisterStartupScript("Info", sb.ToString());

...

static string Escape(string source)
{
    return source.Replace(@"'",  @"\'");
}