Javascript - session.getAttribute 返回未定义的值
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9192870/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Javascript - session.getAttribute returns undefined value
提问by user1197071
I have a JSP form that reads input from the user and calls a Java servlet to process
data. Once the data been proccesed, session.setAttributeis called to store important information. Then in Javascript I try to read the session variable and display
it on the screen. The code looks like this (some code removed):
我有一个 JSP 表单,它从用户读取输入并调用 Java servlet 来处理数据。一旦数据被处理,session.setAttribute就调用它来存储重要信息。然后在 Javascript 中,我尝试读取会话变量并将其显示在屏幕上。代码看起来像这样(删除了一些代码):
<script type="text/javascript">
var test = <%= session.getAttribute( "mySessionVar" ) %>;
document.write (test);
}
When the user enters an integer in the form, all is working as expected and the output displayed on the screen properly. However, when the user enters a String in the form, "undefined"is displayed on the screen.
当用户在表单中输入一个整数时,一切都按预期工作,并且输出正确显示在屏幕上。但是,当用户在表单中输入字符串时, 屏幕上会显示“未定义”。
Any idea what I'm doing wrong?
知道我做错了什么吗?
回答by RoToRa
Think about what your code does. Actually, don't think about it, look at it. Open the source code of your page when it's displayed in the browser. Assuming the session attribute contains the value hello, then your code will generate
想想你的代码做了什么。其实,别想了,看看吧。当页面显示在浏览器中时,打开它的源代码。假设 session 属性包含值hello,那么您的代码将生成
<script type="text/javascript">
var test = hello;
document.write (test);
</script>
So the value will be interpreted as a JavaScript variable. And since you most likely don't have defined a variable called hello, this results in undefined.
因此该值将被解释为 JavaScript 变量。并且由于您很可能没有定义名为 的变量hello,因此这会导致undefined.
However if you now only add quotes:
但是,如果您现在只添加引号:
var test = "<%= session.getAttribute( "mySessionVar" ) %>";
then you'll still not be safe, because since the value comes from your user, as you say, then it can contain not only quotes itself but also more JavaScript code or even HTML code.
那么您仍然不安全,因为正如您所说,由于值来自您的用户,因此它不仅可以包含引号本身,还可以包含更多 JavaScript 代码甚至 HTML 代码。
Imagine your user enters "; while(1) {alert('This site is crap!')};</script><h1>This site is crap!</h1>(notice the quote character at the start!)
想象一下您的用户输入"; while(1) {alert('This site is crap!')};</script><h1>This site is crap!</h1>(注意开头的引号字符!)
Leading to your source code containing:
导致您的源代码包含:
<script type="text/javascript">
var test = ""; while(1) {alert('This site is crap!')};</script><h1>This site is crap!</h1>
And now your site will not only display "This site is crap!" in large letters, but will lock the user in an endless loop of alert boxes. (That is called Cross-Site Scripting)
现在您的网站不仅会显示“这个网站是垃圾!” 大字母,但会将用户锁定在无限循环的警报框中。(这就是所谓的跨站脚本)
Number one rule in web development, NEVER EVERoutput anything (especially not user input) that hasn't been escaped properly. Use StringEscapeUtils.escapeJavaScriptfor JavaScript and c:outfor HTML.
Web 开发中的第一条规则,永远不要输出任何未正确转义的内容(尤其是不是用户输入)。将StringEscapeUtils.escapeJavaScript用于 JavaScript 和c:outHTML。
See also for example:
参见例如:
- How to escape apostrophe or quotes on a JSP (used by JavaScript)
- https://stackoverflow.com/search?q=jsp+escape+javascript
- How can I escape special HTML characters in JSP?
- https://stackoverflow.com/search?q=jsp+escape+html
- 如何在 JSP 上转义撇号或引号(由 JavaScript 使用)
- https://stackoverflow.com/search?q=jsp+escape+javascript
- 如何在 JSP 中转义特殊的 HTML 字符?
- https://stackoverflow.com/search?q=jsp+escape+html
PS: I hope, if you are using a database, you are escaping your SQL statements correctly, otherwise people can very simply get access to your database and server (called SQL injection)
PS:我希望,如果您使用的是数据库,那么您正在正确地转义您的 SQL 语句,否则人们可以非常简单地访问您的数据库和服务器(称为SQL 注入)
回答by czerasz
Try this
试试这个
var test = '<%= session.getAttribute( "mySessionVar" ) %>';
