Js段调用escape,可以解决掉很多特殊字符的显示处理,但是如果你需要在后台处理的时候,需要转换,不是转义,比如说你是在前台方法里面显示一段内容,比如:onmouseover="tooltip.show('aaaa')"; 但是如果这个时候aaa中间有个单引号,如:onmouseover="tooltip.show('aaa'a')";那到前台处理的时候就会出问题了。处理方法如下:
如chr(39) ' 转换后就是 ';如此转换后还需要用HttpUtility.HtmlEncode
onmouseover="tooltip.show('" + HttpUtility.HtmlEncode(EscapeAndRemoveXSS(strDisplayValue)) + "')"
public static string EscapeAndRemoveXSS(object objInput)
{
StringBuilder sbdOutput = new StringBuilder();
if (objInput != null)
{
StringBuilder sbdInput = new StringBuilder(objInput.ToString());
for (int intIndex = 0; intIndex < sbdInput.Length; intIndex++)
{
char chrInput = sbdInput[intIndex];
int intChar = System.Convert.ToInt32(chrInput);
//We will encode every characters except "A-Z", "a-z", "0-9", "&", "#", ";", "", " " by default
if (intChar == 32 || intChar == 35 || intChar == 38 || (intChar >= 48 && intChar <= 57) ||
intChar == 59 || (intChar >= 65 && intChar <= 90) || intChar == 92 || (intChar >= 97 && intChar <= 122) || intChar == 58 || intChar == 33)
{
sbdOutput.Append(chrInput);
}
else
{
//strOutput = strOutput + chrInput;
sbdOutput.Append("&#" + intChar + ";");
}
}
}
return sbdOutput.ToString()
}