There is a problem when using Ajax to leave a message. Since the message content is written, the content is submitted via Ajax, and the content of the message is added to the page using JS. When you view the message, it is also requested by Ajax and then displayed. So, if someone wrote a JS statement in the message, This statement will be executed. The solution is to escape these special characters and display them again. If you use the JSTL tag in your JSP, it's easy. Use <c:out value= "${r.content}"/> This will be done, automatically escaping, The parameter Escapexml= "true" is omitted, which is the default. So do not use El expression when displaying the content submitted by these users, because El does not automatically escape, it is better to use c:out. And if it is also requested by Ajax and then displayed, Then use the following method. It's actually very simple.
1:var html= "<script>alert (' asdfasdf ') <\/script>";
2: $ ("#content"). Text (HTML); What happens is that the solution is simply to escape these special characters < into <> into > use jquery to escape characters. 1:
4:html=$ ("#x"). Text (HTML). html ();
5: $ ("#content"). Append ("<div>" +html+ "</div>");
6: </script> 7:
Prevent front-end scripting JavaScript injection