开发者

Loading HTML content containing inline script via jQuery

问答 作者:

The Background

  • I run an ASP.NET site using Graffiti CMS for a local charitable/service organization.
  • The leaders of the organization want to start integrating a third-party back-end management system that exposes content as full HTML pages.
  • One of the pages, the officer list, uses inline script to load pictures or placeholders (depending on whether or not there is a picture for the given officer).
  • I've created a server-side proxy that enables loading the content from these pages using jQuery's .load() AJAX function.
  • I can display this content fine using an iframe, but that feels really kludgy, and if the size of the content changes, I may need to alter the size of the iframe to ensure it all displays (blech!).

The Problem

If I create a <div> in a Graffiti post, and use $("#divid").load(url) to load the content, the HTML content loads fine, but the inline script is stripped out, so neither the officer images nor the placeholders are displayed.

The Question

Understanding that the reason for the problem is that jQuery is almost certainly trying to protect against potentially bad stuff by removing the inline script before I load it into my DOM, is there a way using jQuery to grab this HTML and load it into my DOM that will preserve the script, but not open major security holes? I do trust the system from which I'm loading the content, if that makes a difference.

Suggestions? I'm looking to keep this as simple as possible...anything too complex, a开发者_C百科nd I'm just as well off to stick with the iframe.

Thanks in advance!

@devhammer

There is an issue when you use document.write. If you have the ability to modify the source pages you can modify them to use the innerHtml technique instead.

To do so you would change something like this:

<div id="testDiv">
  <script type="text/javascript">
    document.write("<img src='image1.jpg' alt='' />");
  </script>
</div>

To this:

<div id="testDiv">
<div>
<script type="text/javascript">
  document.getElementByid('testDiv').innerHTML = "<img src='image1.jpg' alt='' />";
</script>

Doesn't work for me...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" >
    <head>
        <title></title>
    </head>
    <body>
        <script src="Scripts/jquery-1.3.2.min.js" type="text/javascript"></script>
        <script type="text/javascript">
            $(document).ready(function() {
                var dynamic = 'begin <script type="text/javascript">alert("hello");<\/script> end';
                $('#test').html(dynamic);
            });
        </script>
        <div id="test"></div>
    </body>
</html>

The alert box is showing.. but if you replace it with a document.write, nothing in the document.write appears... you have "begin end"

Hope this helps!

Try setting the HTML manually, like this:

$.get(url, function(htmlText) { $('#divid').html(htmlText); });

I'm pretty sure this will execute the scripts.

继续阅读:asp.netjqueryscripting

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9