我有一个奇怪的情况,我似乎无法找到谷歌的答案。
我是把一个JavaScript数组,应用JSON.stringify它,然后通过AJAX发布到一个PHP控制器存储在一个表中,现在json_en codeD阵列。一旦通过AJAX发布时,$ _ POST以某种方式剥离风格上的HTML提交属性。
下面是示例HTML正在通过JavaScript / jQuery的抓住了:
<DIV CLASS =blahblah的风格=边界:1px的固体#000000;><强>测试< / STRONG>< / DIV>
下面是AJAX后code:
VAR post_data = [];
$(divclasshere)。每个(函数(){
post_data.push({HTML:$(本)。html的()});
});
VAR数据= JSON.stringify(post_data);
$阿贾克斯({
键入:POST,
网址:拯救,
数据:{内容:数据},
成功:函数(结果){
}
});
这里是控制器的功能将其保存到数据库:
$数据=阵列(
'内容'=> $这个 - >输入 - >后期(内容)
);
$这个 - > DB->更新('表',$数据);
如果我的print_r在PHP控制器上的数据,我得到(例如)
< DIV CLASS =blahblah><强>测试< / STRONG>< / DIV>
但是,没有风格的DIV CLASS =blahblah元素属性。我使用codeIgniter是否有差别?在某些情况下,去掉第一部分:风格=边界:1px的,并留下固体#000000;
编辑:
下面是被发布(作为一个例子):
内容:[{HTML:< DIV CLASS = 内容风格= 边界:1px的固体#000000; >< / DIV&GT ;}]
和这里是被print_r'd:
< pre> [{HTML:< DIV CLASS = 内容固体#000000; >< / DIV>中}]
解决方案
核心_remove_evil_attributes函数从标签的样式属性。为了克服这个问题,你有一个解决方法吧。只要创建应用程序的核心目录(应用程序/核心/ MY_security.php )内的文件名My_Security.php并粘贴以下code。在它覆盖默认功能。
< PHP的,如果(定义(BASEPATH')!)出口('没有直接的脚本允许访问);
类MY_Security扩展CI_Security {
功能__construct()
{
父:: __结构();
}
// ------------------------------------------------ --------------------
/ *
*修正了cb_cms
* /
保护功能_remove_evil_attributes($海峡,$ is_image)
{
//所有的JavaScript事件处理程序(如onload事件,的onclick,的onmouseover),风格,和xmlns
$允许=阵列(允许的网址不一样'/管理/ EditText上/'域);
如果(in_array($ _ SERVER ['REQUEST_URI'],$允许)){
$ evil_attributes =阵列('上 W *','的xmlns');
}其他{
$ evil_attributes =阵列('上 W *','风格','的xmlns');
}
如果($ is_image ===真)
{
/ *
* Adobe公司的Photoshop把XML元数据到JFIF图像,
*包括命名空间,所以我们必须让本作的图像。
* /
取消设置($ evil_attributes [array_search('的xmlns',$ evil_attributes)]);
}
做 {
$海峡= preg_replace(
#&LT;(?/ [^&GT;&LT;] +)([^ A-ZA-Z - ])(内爆('|', $evil_attributes).")(s*=s*)(["][^>]*?["]|['][^>]*?[']|[^>]*?)([s><])([><]*)#i",
&LT; $ 1 $ 6,
$海峡,-1,$数
);
}而($计数);
返回$海峡;
}
}
?&GT;
I have a weird situation and I can't seem to find the answer on Google.
I am taking a javascript array, applying JSON.stringify to it, and then posting via AJAX to a php controller for storing the now json_encoded array in a table. Upon posting via ajax, the $_POST is somehow stripping the styles attribute on the html being submitted.
Here is the sample html being grabbed via javascript/jquery:
<"div class="blahblah" style="border:1px solid #000000;"><strong>test</strong></div>
Here is the AJAX post code:
var post_data = [];
$("divclasshere").each(function(){
post_data.push({html:$(this).html()});
});
var data = JSON.stringify(post_data);
$.ajax({
type: "POST",
url: "save",
data: { content: data },
success: function(result){
}
});
And here is the controller function that saves it to the db:
$data = array(
'content' => $this->input->post('content')
);
$this->db->update('table', $data);
If I print_r on the data on the PHP controller, I get (example)
<div class="blahblah"><strong>test</strong></div>
But no styles attribute on the div class="blahblah" element. I am using CodeIgniter if that makes a difference? In some cases, it strips the first part: style="border:1px and leaves solid #000000;"
EDIT:
Here is what gets posted (as an example):
content:[{"html":"<div class="content" style="border:1px solid #000000;"></div>"}]
And here is what gets print_r'd:
<pre>[{"html":"<div class="content" solid #000000;"></div>"}]
解决方案
The core _remove_evil_attributes function removes the style attribute from the tags. To overcome this problem you have a workaround for it. Just create a file name My_Security.php inside the core directory of your application (application/core/MY_security.php) and paste the following code in it to override default function.
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
class MY_Security extends CI_Security {
function __construct()
{
parent::__construct();
}
// --------------------------------------------------------------------
/*
* Modified for cb_cms
*/
protected function _remove_evil_attributes($str, $is_image)
{
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$allowed = array("your allowed url's without domain like '/admin/edittext/'");
if(in_array($_SERVER['REQUEST_URI'],$allowed)){
$evil_attributes = array('onw*', 'xmlns');
}else{
$evil_attributes = array('onw*', 'style', 'xmlns');
}
if ($is_image === TRUE)
{
/*
* Adobe Photoshop puts XML metadata into JFIF images,
* including namespacing, so we have to allow this for images.
*/
unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
}
do {
$str = preg_replace(
"#<(/?[^><]+?)([^A-Za-z-])(".implode('|', $evil_attributes).")(s*=s*)(["][^>]*?["]|['][^>]*?[']|[^>]*?)([s><])([><]*)#i",
"<$1$6",
$str, -1, $count
);
} while ($count);
return $str;
}
}
?>
相关推荐
最新文章