Browser parse HTML for jQuery without loading reso

2019-06-23 17:20发布

Is it possible to pass HTML to a browser through JavaScript and parse it with jQuery, but not load external resources? (scripts, images, flash, anything)

I will do with the XML parser if that is the best I can do, but I would like to allow loose HTML if possible.

It must be compatible with Chrome, Firefox, the latest IE.

标签： jquery html xml parsing browser

1条回答

对你真心纯属浪费

2楼-- · 2019-06-23 18:10

var html = someHTML; //passed in html, maybe $('textarea#id').val();? I don't understand what you mean by 'passed in html'
var container = document.createElement('div');
container.innerHTML = html;
$(container).find('img,embed,head,script,style').remove();
//or
$(container).find('[src]').remove();

var target = someTarget; //place to put parsed html
$(container).appendTo($(target));

EDIT

Tested working

removeExt = function(cleanMe) {
    var toScrutinize = $(cleanMe).find('*'); //get ALL elements
    $.each(toScrutinize, function() {
      var attr = $(this)[0].attributes; //get all the attributes
      var that = $(this); 
      $.each(attr, function(){
          if ($(that).attr(this.nodeName).match(/^http/)) {//if the attribute value links externally
           $(that).remove(); //...take it out  
          } 
      })
    })
    $('script').remove(); //also take out any inline scripts
}

var html = someHTML;
var container = document.createElement('div');
container.innerHTML = html;
removeExt($(container));
var target = someTarget;
$(container).appendTo($(target));

This will match src, href, link, data-foo, whatever... No way to link externally. http and https are both matched. inline scripts are killed. If it's still a security concern, then maybe this should be done server side, or obfuscate your JS.

0人赞添加讨论(0) 举报

Browser parse HTML for jQuery without loading reso

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间