如何使用 JavaScript 禁用 <script> 元素
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9850317/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do you disable <script> elements using JavaScript
提问by vurquee
I want to disable <script>tags. Here's my code, but it doesn't work.
我想禁用<script>标签。这是我的代码,但它不起作用。
document.getElementsByTagName('script').disabled = true;
采纳答案by Eugene
Can't be done... A script tag evaluates as soon as the DOM renderer renders it, so getting a handle on it after wards won't do much.
无法完成...脚本标签在 DOM 渲染器渲染后立即评估,因此在 wards 之后处理它不会做太多事情。
回答by Denis Chmel
In fact, it is possible to disable execution by changing "type" attribute:
实际上,可以通过更改“type”属性来禁用执行:
<script type="text/javascript">
alert("I will alert you");
</script>
<script type="application/json">
alert("And I will keep silent");
</script>
<script>
alert("I will alert too");
</script>
回答by Dave
Sorry, but you can't disable the <script>element.
抱歉,您无法禁用该<script>元素。
回答by Roy Shoa
As I understand you are getting some HTML code from the Database and add it to the page. If so, You can write a Server Side function that will add a HTML Notes around the scripts using a simple Regex and after that the user saving the changes you will need to remove the notes.
据我了解,您正在从数据库中获取一些 HTML 代码并将其添加到页面中。如果是这样,您可以编写一个服务器端函数,该函数将使用简单的正则表达式在脚本周围添加 HTML 注释,然后用户保存更改,您将需要删除注释。
You can do it also in Javascript if you have the HTML string that you like to add before you add it to the Dom.
如果您在将 HTML 字符串添加到 Dom 之前想要添加它,您也可以在 Javascript 中执行此操作。
回答by Dorian
Removing all the events on DOM nodes will prevent most of the JavaScript from executing (here for document):
删除 DOM 节点上的所有事件将阻止大部分 JavaScript 执行(此处为document):
for (key in getEventListeners(document)) {
getEventListeners(document)[key].forEach(function(c) {
c.remove()
})
}
回答by Jeff Luyet
You candisable a script element. There are a couple of ways:
您可以禁用脚本元素。有几种方法:
You can specify a different script typeas other have listed. Heres the one that worked for me:
您可以指定与其他脚本类型不同的脚本类型。这是对我有用的一个:
//loop through all script tags on page
$('script').each(function(){
var scripthtml = $(this).html();
$(this).replaceWith('<script type="text/gzip">' + scripthtml + '</script>');
});
All of the official script types can all be found here: iana.org
所有官方脚本类型都可以在这里找到: iana.org
The second way is just a simple if statement:
第二种方法只是一个简单的 if 语句:
//loop through all script tags on page
$('script').each(function(){
var scripthtml = $(this).html();
$(this).replaceWith('<script>if (1==0){' + scripthtml + '}</script>');
});
The if statement will always be false, so anything inside the script tag won't execute. However all of your functions() inside the script tag will all be valid.
if 语句将始终为 false,因此脚本标记内的任何内容都不会执行。但是,脚本标记内的所有函数() 都将有效。
Heres the javascript equivalentof replaceWith:
继承人的javascript 相当于replaceWith:
//get script and html
var yourscripttag = document.getElementById('yourscripttagID');
var scripthtml = 'if (1==0){' + yourscripttag.innerHTML + '}';
//remove script
yourscripttag.remove();
//create new script element
var newscript=document.createElement('script');
newscript.type='text/javascript';
//insert html in new script tag
newscript.appendChild(document.createTextNode(scripthtml));
//insert new script tag into head
document.getElementsByTagName('head').item(0).appendChild(newscript);
回答by Ismael Harun
You can hack it. Use another script to do a....
你可以破解它。使用另一个脚本来做一个......
node.parentNode.replaceChild(
document.createComment(node.outerHTML.slice(1,-1)
.replace(/--/g, '\-\-')), node);
Where node is your script node/element. The replacing of double dashes is to prevent the browser complaining about an uncompliant comment tag.
其中 node 是您的脚本节点/元素。替换双破折号是为了防止浏览器抱怨评论标签不合规。
Then if you want to enable it just do the reverse comment.replace and enclose with < and >. But you probably need to keep track of the modified script node, because after it becomes a comment it is less query-able.
然后,如果您想启用它,只需执行反向 comment.replace 并用 < 和 > 括起来。但是您可能需要跟踪修改后的脚本节点,因为在它成为注释之后,它的查询能力就变差了。
回答by Vaibhav Jain
Inline Java is a security risk. But this can be mitigated using a simple solution.
内联 Java 存在安全风险。但这可以通过一个简单的解决方案来缓解。
Simply replace any instance of with something like <script&rt; so it does not render as a tag, but will output in HTML appearing as if it was a tag.
只需将 的任何实例替换为 <script&rt; 之类的东西;因此它不会呈现为标签,而是会以 HTML 格式输出,看起来就像是标签一样。
input.replace("<script>", "<script>")
.replace("</script>", "</script>")
This will work if your use case is something like:
如果您的用例是这样的,这将起作用:
If you want to disable inline script such as
<script> alert("Hello"); </script>
- If you don't want to remove the content(script tag data) from display.
如果要禁用内联脚本,例如
<script> alert("你好"); </脚本>
- 如果您不想从显示中删除内容(脚本标记数据)。
