Javascript 为什么赢了';这根绳子不能逃脱吗?
usI有一些带有onSubmit的html:Javascript 为什么赢了';这根绳子不能逃脱吗?,javascript,python,html,escaping,web2py,Javascript,Python,Html,Escaping,Web2py,usI有一些带有onSubmit的html: <form id="login_box" onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;"> 问题是,无论我做什么,它都无法逃避嵌套的引号。我试过: <for
<form id="login_box" onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;">
问题是,无论我做什么,它都无法逃避嵌套的引号。我试过:
<form id="login_box" onSubmit="alert('{{=T(\'Thank you for contacting us! We have received your email and will contact you shortly.\')}}'); this.submit(); this.reset(); return false;">
<form id="login_box" onSubmit="alert(\"{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}\"); this.submit(); this.reset(); return false;">
<form id="login_box" onSubmit=\"alert(\\"{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}\\"); this.submit(); this.reset(); return false;\">
还有我能想到的任何其他组合,即使我知道它行不通。我没有尝试转义嵌套引号。在HTML属性中,某些字符(
“
和&
)必须编码为HTML实体。在javascript字符串中,必须使用反斜杠转义字符串分隔符(例如”
),这意味着第一个字符应该可以工作
<form id="login_box" onSubmit="alert('{{=T(\'Thank you for contacting us! We have received your email and will contact you shortly.\')}}'); this.submit(); this.reset(); return false;">
将返回字符串,因此
<form id="login_box" onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;">
将成为
<form id="login_box" onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;">
在呈现的HTML中。这是正确的。但是,您需要转义任何反斜杠,然后HTML实体对T函数的输出进行编码(按该顺序)。我认为您使用的是python中的twig或任何类似的模板系统 如果您想翻译
{{=T('messagetotranslate')}
,只需将该字符串放入自定义属性
例子:
:)HTML对返回值进行编码,然后将其编码为JSON。假设这是在web2py模板中,您的原始代码:
onSubmit="alert('{{=T('Thank you for contacting us! We have received your email and will contact you shortly.')}}'); this.submit(); this.reset(); return false;"
生成以下HTML:
onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;"
onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;"
据我所知,它在浏览器中运行良好。但是,如果您想转义警报中的单引号,可以执行以下操作:
onSubmit="alert({{="'%s'" % T('Thank you for contacting us! We have received your email and will contact you shortly.')}}); this.submit(); this.reset(); return false;"
将生成以下HTML:
onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;"
onSubmit="alert('Thank you for contacting us! We have received your email and will contact you shortly.'); this.submit(); this.reset(); return false;"
也可以在浏览器中使用
{}
分隔符内的所有内容都是Python代码,将在服务器上执行,并在写入响应之前转义。{}
分隔符外的所有内容都将按原样包含在响应中(即web2py不转义)。在您的原始代码中,警报中的单引号不在web2py模板分隔符的范围内,因此它们不会被web2py转义,而是按原样传递。这在web2py手册的部分中有进一步解释。这是生成的HTML?什么是{=
?(我猜T(…)
是某种翻译函数)。你能告诉我这和python有什么关系吗?替换字符串符号。'他说“你好,她说‘再见’”@Felix{{=T('是python翻译函数。它在翻译警报中的消息。{{=T()}}是如何工作的?我想这不是OP想要的,因为T
是python函数(正如在评论中提到的)应该调用的,可能是模板OP的一部分正在使用?是的,我没有读/看到。是{{=}
某种模板语法吗?是的,它是正确的语法{=}
并且在其他js脚本中运行良好,但是,这个特定的脚本不想正常工作,因为它在警报中。如果我尝试转义内部的“警报”,python将拒绝它。如果我尝试将警报的引号更改为“并尝试基于包含转义”,js将拒绝它。如onSubmit=“警报(\”{{=t(“
。虽然我不知道为什么会这样……反过来说。首先是JSON编码,然后是HTML实体编码。它的javascript是HTML格式的,而不是javascript格式的HTML。我正在使用web2py。这看起来可能行得通,但要到早上才能测试。它会让你知道。它似乎想工作。但它只返回“未定义”。属性似乎是get Attribute()无法访问。我更新了示例,现在一切正常。谢谢。我需要刷新所有getDocument/getAttribute/etc知识。