在哪里可以找到我的 JSON ajax 返回类型所需的转义字符列表?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/983451/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where can I find a list of escape characters required for my JSON ajax return type?
提问by Blankman
I have an ASP.NET MVC action that is returning a JSON object.
我有一个返回 JSON 对象的 ASP.NET MVC 操作。
The JSON:
JSON:
{status: "1", message:"", output:"<div class="c1"><div class="c2">User generated text, so can be anything</div></div>"}
Currently my HTML is breaking it. There will be user generated text in the output field, so I have to make sure I escape ALL things that need to be escaped.
目前我的 HTML 正在破坏它。输出字段中将有用户生成的文本,因此我必须确保转义所有需要转义的内容。
Does someone have a list of all things I need to escape for?
有人有我需要逃避的所有事情的清单吗?
I'm not using any JSON libraries, just building the string myself.
我没有使用任何 JSON 库,只是自己构建字符串。
回答by Pashec
Take a look at http://json.org/. It claims a bit different list of escaped characters than Chris proposed.
看看http://json.org/。它声称的转义字符列表与 Chris 提出的略有不同。
\"
\
\/
\b
\f
\n
\r
\t
\u four-hex-digits
回答by Chris Nielsen
Here is a list of special characters that you can escape when creating a string literal for JSON:
以下是在为 JSON 创建字符串文字时可以转义的特殊字符列表:
\b Backspace (ASCII code 08) \f Form feed (ASCII code 0C) \n New line \r Carriage return \t Tab \v Vertical tab \' Apostrophe or single quote \" Double quote \ Backslash character
Reference: String literals
参考:字符串文字
Some of these are more optional than others. For instance, your string should be perfectly valid whether you escape the tab character or leave in a tab literal. You should certainly be handling the backslash and quote characters, though.
其中一些比其他更可选。例如,无论您转义制表符还是保留制表符文字,您的字符串都应该完全有效。不过,您当然应该处理反斜杠和引号字符。
回答by Andrei Bozantan
As explained in the section 9 of the official ECMA specification (http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf) in JSON, the following chars have to be escaped:
正如官方 ECMA 规范 ( http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf)的第 9 节所述,必须对以下字符进行转义:
U+0022(", the quotation mark)U+005C(\, the backslash or reverse solidus)U+0000toU+001F(the ASCII control characters)
U+0022(", 引号)U+005C(\, 反斜杠或反斜线)U+0000toU+001F(ASCII 控制字符)
In addition, in order to safely embed JSON in HTML, the following chars have to be also escaped:
此外,为了安全地将 JSON 嵌入到 HTML 中,还必须对以下字符进行转义:
U+002F(/)U+0027(')U+003C(<)U+003E(>)U+0026(&)U+0085(Next Line)U+2028(Line Separator)U+2029(Paragraph Separator)
U+002F(/)U+0027(')U+003C(<)U+003E(>)U+0026(&)U+0085(下一行)U+2028(行分隔符)U+2029(段落分隔符)
Some of the above characters can be escaped with the following short escape sequences defined in the standard:
可以使用标准中定义的以下短转义序列对上述某些字符进行转义:
\"represents the quotation mark character (U+0022).\\represents the reverse solidus character (U+005C).\/represents the solidus character (U+002F).\brepresents the backspace character (U+0008).\frepresents the form feed character (U+000C).\nrepresents the line feed character (U+000A).\rrepresents the carriage return character (U+000D).\trepresents the character tabulation character (U+0009).
\"表示引号字符 (U+0022)。\\表示反向固体字符 (U+005C)。\/表示实线字符 (U+002F)。\b表示退格字符 (U+0008)。\f表示换页符 (U+000C)。\n表示换行符 (U+000A)。\r表示回车符 (U+000D)。\t表示字符制表符 (U+0009)。
The other characters which need to be escaped will use the \uXXXXnotation, that is \ufollowed by the four hexadecimal digits that encode the code point.
其他需要转义的字符将使用\uXXXX符号,\u后跟四个对代码点进行编码的十六进制数字。
The \uXXXXcan be also used instead of the short escape sequence, or to optionally escape any other character from the Basic Multilingual Plane (BMP).
的\uXXXX,也可以使用代替短转义序列,或任选地逃脱从基本多语种平面(BMP)的任何其他字符。
回答by Kevin Smyth
From the spec:
从规范:
All characters may be placed within the quotation marks except for the characters that must be escaped: quotation mark (U+0022), reverse solidus [backslash] (U+005C), and the control characters U+0000 to U+001F
除了必须转义的字符外,所有字符都可以放在引号内:引号 (U+0022)、反斜线 [反斜杠] (U+005C) 和控制字符 U+0000 到 U+001F
Just because e.g. Bell (U+0007) doesn't have a single-character escape code does not mean that you don't need to escape it. Use the Unicode escape sequence \u0007.
仅仅因为例如 Bell (U+0007) 没有单字符转义代码并不意味着您不需要对其进行转义。使用 Unicode 转义序列\u0007。
回答by Jarett Millard
Right away, I can tell that at least the double quotes in the HTML tags are gonna be a problem. Those are probably all you'll need to escape for it to be valid JSON; just replace
马上,我就知道至少 HTML 标签中的双引号会有问题。要使其成为有效的 JSON,您可能只需要转义这些;只需更换
"
with
和
\"
As for outputting user-input text, you do need to make sure you run it through HttpUtility.HtmlEncode() to avoid XSS attacksand to make sure that it doesn't screw up the formatting of your page.
至于输出用户输入的文本,您需要确保通过 HttpUtility.HtmlEncode() 运行它以避免XSS 攻击并确保它不会破坏页面的格式。
回答by Marius
The JSON reference states:
JSON 参考说明:
any-Unicode-character-
except-"-or-\-or-
control-character
Then lists the standard escape codes:
然后列出标准转义码:
\" Standard JSON quote \ Backslash (Escape char) \/ Forward slash \b Backspace (ascii code 08) \f Form feed (ascii code 0C) \n Newline \r Carriage return \t Horizontal Tab \u four-hex-digits
From this I assumed that I needed to escape all the listed ones and all the other ones are optional. You can choose to encode all characters into \uXXXXif you so wished, or you could only do any non-printable 7-bit ASCII characters or characters with Unicode value not in \u0020 <= x <= \u007Erange (32 - 126). Preferably do the standard characters first for shorter escape codes and thus better readability and performance.
由此我假设我需要转义所有列出的,而所有其他的都是可选的。\uXXXX如果您愿意,您可以选择将所有字符编码为,或者您只能编码任何不可打印的 7 位 ASCII 字符或 Unicode 值不在\u0020 <= x <= \u007E范围内的字符(32 - 126)。对于较短的转义码,最好先使用标准字符,从而获得更好的可读性和性能。
Additionally you can read point 2.5 (Strings) from RFC 4627.
此外,您可以从RFC 4627 中读取点 2.5(字符串)。
You may (or may not) want to (further) escape other characters depending on where you embed that JSON string, but that is outside the scope of this question.
您可能(也可能不想)想要(进一步)转义其他字符,具体取决于您嵌入该 JSON 字符串的位置,但这超出了本问题的范围。
