我有一个EJS文件,从数据库中获取国家公园的名称,并将其传递到隐藏输入元素的值属性中的下一页。
我的home.ejs文件
<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- Bootstrap CSS -->
<link href="https://fonts.googleapis.com/css?family=Pacifico&display=swap" rel="stylesheet">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<link rel="stylesheet" type="text/css" href="/css/national-parks.css">
</head>
<body>
<div class="container" id="headContainer">
<div class="row">
<div class="col-2">
<nav class="nav flex-column">
<a class="nav-link active text-white" href="/login">Login</a>
<a class="nav-link active text-white" href="/signup">Sign Up</a>
<a class="nav-link active text-white" href="/logout">Logout</a>
</nav>
</div>
<div class="col-10" id="heading">
<h1 class="display-3">National Parks Observer</h1>
<p class="lead">Site Dedicated to Indian National Parks</p>
</div>
</div>
</div>
<div class="container" id="postings">
<% var r=Math.round(nationalParks.length/3); %>
<% var x = 1; %>
<% var elementCount = 3; %>
<% var constant = 3; %>
<% var start=0; %>
<% while(x<=r){ %>
<div class="row">
<% for(var k=start;k<elementCount;k++){ %>
<div class="col-4">
<div class="card">
<form method="POST" action="/NationalPark">
<img class="card-img-top" src=<%=nationalParks[k].imageurl %> alt="Card image cap">
<h5 class="card-title" name="parktitle" id="title"><%=nationalParks[k].nationalPark %></h5>
<% var parkName=nationalParks[k].nationalPark %>
<Input type="hidden" name="park_name" value=<%= parkName %> />
<Input type="hidden" name="google_url" value=<%=nationalParks[k].googleurl %> />
<button type="submit" class="btn btn-primary btn-sm">View Page</button>
</form>
</div>
</div>
<% } %>
<% start=start+constant; %>
<% elementCount=Math.min(elementCount+constant,nationalParks.length); %>
</div>
<% x++; } %>
</div>
<br>
<br>
<br>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>
<script src="/javascript/national-park.js"></script>
</body>
</html>
如果您传递一个值,比如Jim,那么下面的代码行可以正常工作
<Input type="hidden" name="park_name" value=<%= nationalParks[k].nationalPark %> />
但如果它遇到一个字符串,比方说Jim Corbett,它会这样做。
<input type="hidden" name="park_name" value="Jim" corbett>
解决这个问题的方法是什么?这里面有安全隐患吗?谢谢
试试这个:
<Input type="hidden" name="park_name" value='<%= nationalParks[k].nationalPark %>' />
而不是这个:
<Input type="hidden" name="park_name" value=<%= nationalParks[k].nationalPark %> />