1

我正在使用 $.cookie() 以 JSON 格式从 cookie 中提取所有值:

var props = $.cookie('params');

props返回:

{"distinct_id": "13f97d6600b42e-000e6293c-6b1b2e75-232800-13f97d6600cc82","utm_source": "the_source","utm_term": "myterms","utm_campaign": "campaign","utm_medium": "medium","utm_content": "content"}

我正在使用 jQuery 将其动态插入到表单中,并且我想确保一切正常,POST即使其中可能存在各种通常与 HTML 冲突的疯狂字符(完全限定的 url 、、、、、甚至可能是或)&"'><

我还需要确保它可以在 IE6、IE7 等中运行。

var input = $('<input type="hidden" name="CustomField1">');
input.appendTo($('form[data-params=track]')).val(props);

它会*看起来*正在工作,但我想 100% 确定我做对了,因为这一步没有错误非常重要。

4

3 回答 3

1

I am pretty sure val() does not need any additional escaping as you are not actually editing raw HTML. val() sets DOM value on an element.

Generally setting attributes or properties through DOM/jQuery should be fine. Those will be auto-escaped when rendering innerHtml. But if you submit a page it does not even have to render anything -- it can just directly copy values from DOM to request.

于 2013-07-02T02:59:52.233 回答
1

Since your are setting the value of an input field, it should just work fine, there is no need to escape/process any characters in the input's value.

于 2013-07-02T03:00:17.290 回答
0

You can use the JavaScript escape() function to make sure the string get's escaped properly for display in the browser.

于 2013-07-02T02:58:46.950 回答