Now, the String part is transferred to the specific associated application, corresponding to the HTML String, the JSON String, and the script String in the HTML
HTML processing |
StripTags|EscapeHTML|UnescapeHTML |
|
|
JSON Processing |
UnfilterJSON|IsJSON|EvalJSON|ParseJSON |
Script Processing |
StripScripts|ExtractScripts|EvalScripts |
Now, the String part is transferred to the specific associated application, corresponding
HTML string, JSON string, and script string in HTML.
[For JSON-related information, see http://www.cnblogs.com/tomxu/archive/2012/01/11/2311956.html]
The following sections describe:
I. HTML string
StripTags: removes all HTML tags from a string.
EscapeHTML: converts special HTML characters into their equivalent entities. (& Corresponding & <对应<> Corresponding>)
UnescapeHTML: removes tags from strings and converts special HTML characters in Entity representation to their normal form. (Reverse operation of escapeHTML)
A regular expression in stripTags/<\ w + (\ s + ("[^"] * "| '[^'] * '| [^>]) +)?> | <\/\ W +>/gi is used to match the content in the tag. Note that a line break is not allowed. However, a syntax error occurs when a line break occurs.
[The only note for this method is that stripTags removes the script tag but does not remove the content. Therefore, it may expose the content in script, page Structure affected]
Ii. Script string
StripScripts: removes all HTML script blocks from the string. Make up for the defects of the stripTags method on the script tag
ExtractScripts: extracts the content of all scripts contained in the string and returns it as a string array.
EvalScripts: the content of all script blocks contained in the execution string. Returns an array containing the values returned after each script is executed.
The regular expressions in stripScripts are the development of a regular expression in stripTags.
The Code is as follows:
Function stripScripts (){
Var pattern = new RegExp (' ] *> ([\ S \ s] *?) <\/Script> ', 'img'); // I ignore case sensitivity, m wrap, g Global
Return this. replace (pattern ,'');
}
The Code is as follows:
Function extractScripts (){
Var matchAll = new RegExp (' ] *> ([\ S \ s] *?) <\/Script> ', 'img '),
MatchOne = new RegExp (' ] *> ([\ S \ s] *?) <\/Script> ', 'im ');
Return (this. match (matchAll) | []). map (function (scriptTag ){
Return (scriptTag. match (matchOne) | ['','']) [1];
});
}
Map is an extension of the array. Some browsers use this native method. For more information, see array of native chrome methods.
The final result is an array of all the content inside the script tag. Therefore, the evalScripts method can naturally come up with the following: loop traversal of the obtained array, and then execute (eval) in sequence ), store the results of each execution.
The Code is as follows:
Function evalScripts (){
Return this. extractScripts (). map (function (script) {return eval (script )});
}
Iii. JSON Processing
UnfilterJSON: removes the Security annotator around Ajax JSON or JavaScript response content.
IsJSON: use regular expressions to check whether the string is in legal JSON format.
EvalJSON: executes a JSON string and returns the result object.
IsJSON and evalJSON are parseJSON in JSON. js, and the code is similar. For details, see parse JSON from string.
By the way, the unfilterJSON Security annotation Delimiter is a security mechanism. For your own data, you can add special characters (delimiters) at both ends of the returned value to indicate the data source, during client parsing, unfilterJSON is used to process the added delimiters, which can reduce some XSS attacks to a certain extent.
The default format of Prototype is:
'/*-Secure-\ n {"name": "xiaoxi Mountain", "age": 24} \ n */'
The defining symbols are/*-secure-\ n' and '\ n */'