有没有办法在 HTML 文件中禁用 javascript?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7928113/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is there a way to disable javascript within the HTML file?
提问by Fotis MC
I compose a large HTML file out of a huge unformatted text file. Now my fear is that the text file might contain some malicious javascript code. To avoid any damage I scan the text and replace any < or > with lt and gt. That is quite effective, but it's not really good for the performance.
我用一个巨大的无格式文本文件组成了一个大的 HTML 文件。现在我担心的是文本文件可能包含一些恶意的 javascript 代码。为了避免任何损坏,我扫描文本并将任何 < 或 > 替换为 lt 和 gt。这非常有效,但对性能来说并不是很好。
Is there some tag or attribute or whatever that allows me to turn javascript off within the HTML file? In the header perhaps?
是否有一些标签或属性或任何允许我在 HTML 文件中关闭 javascript 的东西?也许在标题中?
采纳答案by Rob W
Since you've considered replacing all <and >by the HTML entities, a good option would consist of sending the Content-Type: text/plainheader.
由于您已经考虑用HTML 实体替换 all<和>,因此发送Content-Type: text/plain标头是一个不错的选择。
If you include want to show the contents of the file, replacing every &by &and every <by <is sufficient to correctly display the contents of the file. Example:
Input: Huge wall of text 1<a2 &>1
Output: Huge wall of text 1<a2 &>1
Unmodified output, displaying in browser: Huge wall of text 11(<..>interpreted as HTML)
如果您有想要显示文件的内容,替换每个&通过&和每一个<通过<足以正确显示文件的内容。例如:
输入:Huge wall of text 1<a2 &>1
输出:Huge wall of text 1<a2 &>1
未改性的输出,显示在浏览器中:Huge wall of text 11(<..>解释为HTML)
If you cannot modify code at the back-end (server-side), you need a HTML parser, which sanitised your code. JavaScript is not the only threat, embedded content (<object>, <iframe>, ...) can also be very malicious. Have a look at the following answer for a very detailed HTML parser & sanitizer :
Can I load an entire HTML document into a document fragment in Internet Explorer?
如果您无法在后端(服务器端)修改代码,则需要一个 HTML 解析器来清理您的代码。JavaScript 不是唯一的威胁,嵌入的内容 ( <object>, <iframe>, ...) 也可能是非常恶意的。查看以下有关非常详细的 HTML parser & sanitizer 的答案:
我可以将整个 HTML 文档加载到 Internet Explorer 中的文档片段中吗?
回答by Marian Bazalik
When you have a control of backend, you can provide file with header
当您可以控制后端时,您可以提供带有标题的文件
Content-type: text/plain;
回答by Madara's Ghost
No, you can't disable JavaScript from inside a webpage, rather, you should sanitize any and all input from your users to make sure no malicious scripts go through your script.
不,您不能从网页内部禁用 JavaScript,相反,您应该清理用户的所有输入,以确保没有恶意脚本通过您的脚本。
Whether it's by remove all script tags or replacing <and >, you need to make sure your input is clean.
无论是删除所有脚本标签还是替换<and >,您都需要确保输入是干净的。
回答by xbonez
Do a search for <scriptand replace with <!--<scriptand search for </script>and replace with </script>-->.
搜索<script并替换为<!--<script,搜索</script>并替换为</script>-->。
This should comment out all scripts in the file.
这应该注释掉文件中的所有脚本。
回答by e-info128
you need a sandbox or clean html code. look phpids or html purifier.
您需要一个沙箱或干净的 html 代码。看看 phpids 或 html 净化器。
