admin管理员组

文章数量:1287577

I've read several posts about the question and found this to be the simplest solution, here is my code:

js inside PHP code

<script>
    <!--// 
      var jsBaseurl = <?php echo json_encode(BASE_URL."/"); ?>;
      var jsTitle = <?php echo json_encode($h1_title); ?>;
      var jsSubtl = <?php echo json_encode($h2_title);?>;
    //-->
</script>
<script src="external.js"></script>

and the external.js

var siteURL=jsBaseurl;
alert(siteURL+jsTitle+jsSubtl)

it works fine, my question is regarding to the following ments by Pang and biplav:

WARNING: This can kill your website. Example:

<?php $myVarValue = '<!--<script>'; ?>

See this question for details. Solution: Use JSON_HEX_TAG to escape < and > (requires PHP 5.3.0). - Pang

Another downside of this is that impacts the inital page load time. - biplav

I would like to know a simple solution for Pang's ment and how this all impacts the performance (page load time). Thanks a lot!

I've read several posts about the question and found this to be the simplest solution, here is my code:

js inside PHP code

<script>
    <!--// 
      var jsBaseurl = <?php echo json_encode(BASE_URL."/"); ?>;
      var jsTitle = <?php echo json_encode($h1_title); ?>;
      var jsSubtl = <?php echo json_encode($h2_title);?>;
    //-->
</script>
<script src="external.js"></script>

and the external.js

var siteURL=jsBaseurl;
alert(siteURL+jsTitle+jsSubtl)

it works fine, my question is regarding to the following ments by Pang and biplav:

WARNING: This can kill your website. Example:

<?php $myVarValue = '<!--<script>'; ?>

See this question for details. Solution: Use JSON_HEX_TAG to escape < and > (requires PHP 5.3.0). - Pang

Another downside of this is that impacts the inital page load time. - biplav

I would like to know a simple solution for Pang's ment and how this all impacts the performance (page load time). Thanks a lot!

• javascript
• php
• jquery
• json

Share Improve this question Follow edited May 23, 2017 at 12:06 CommunityBot 111 silver badge asked Jul 20, 2014 at 21:43 YatkoYatko 8,80599 gold badges4343 silver badges5050 bronze badges 9

• It would kill your website if the output if json_encode() contains an illegal character in JavaScript which is not very likely. – Daniel K. Commented Jul 20, 2014 at 21:48
• It doesn't affect page performance if you're using PHP in anycase and as long as you don't put stupid things in your own PHP it won't break but if you put stupid things in any PHP script you can kill your own website. You are the webmaster! – Rob Schmuecker Commented Jul 20, 2014 at 21:48
• 1 @Daniel which would mean that the json_encode() is broken and outputs illegal JSON, because there is no legal JSON that would be illegal JavaScript. – rsp Commented Jul 20, 2014 at 21:49
• Since json_encode() really produces a String, I'm not sure how this applies to being a problem, more than the user having Firebug. – StackSlave Commented Jul 20, 2014 at 21:51
• @rsp Was not 100% sure about that but thank for clarifying ;) – Daniel K. Commented Jul 20, 2014 at 22:00

 |  Show 4 more ments

2 Answers 2

Sorted by: Reset to default 9

About question 1: use JSON_HEX_TAG in json_encode()

• Example 1
  Consider this simple piece of code.

  <script>
      <?php $myVarValue = 'hello world'; ?>
      var myvar = <?php echo json_encode($myVarValue); ?>;
      alert(myvar);
  </script>
  

  Output:

  <script>
      var myvar = "hello world";
      alert(myvar);
  </script>
  

  It alerts hello world. Good.

• Example 2
  Let's try having </script> as the string.

  <script>
      <?php $myVarValue = '</script>'; ?>
      var myvar = <?php echo json_encode($myVarValue); ?>;
      alert(myvar);
  </script>
  

  Output:

  <script>
      var myvar = "<\/script>";
      alert(myvar);
  </script>
  

  It alerts </script>. Good.

  As you can see, the slash (/) is correctly escaped as \/,

• Example 3
  Now, consider this very special string: <!--<script>

  <script>
      <?php $myVarValue = '<!--<script>'; ?>
      var myvar = <?php echo json_encode($myVarValue); ?>;
      alert(myvar);
  </script>
  

  Output:

  <script>
      var myvar = "<!--<script>";
      alert(myvar);
  </script>
  

  Surprisingly, it does not alert anything, and there's nothing in the error console. What?!

  If you check JSON's spec, none of the characters in <!--<script> need to be escaped, so what went wrong?

  ^{Image adapted from json}

For a plete and well explained answer, read this amazing Q & A. In short, it turns out that having <!--<script> in a <script> block confuses the HTML parser. PHP actually did its job correctly in json_encode(); you just can't have a <!--<script> there, even though it is a perfectly valid JavaScript string!

I did a few simple tests myself. The browsers actually ignore everything after <!--<script>, so if it happens in the middle of a page, the entire second half of the page is gone! I'm not sure if someone can actually inject something malicious there to, say, execute arbitrary code, but that's bad enough.

Also,

• If you have not just a string in $myVarValue, but a plex object like array("key" => array("one", "and<!--<script>two", 3)), which includes <!--<script>, it's still bad.
• If you have a plain HTML file (i.e. no PHP) and you have <!--<script> anywhere (even in a JavaScript ment) in your <script> block, it's also bad.
• If you are using other, non-PHP, server-side programming languages, and produced <!--<script>, it's bad too.
• If your PHP is outputting JavaScript directly (Content-type: application/javascript), it's actually ok ^[1].

The solution? Use JSON_HEX_TAG to escape < and > (requires PHP 5.3.0).

<script>
    <?php $myVarValue = '<!--<script>'; ?>
    var myvar = <?php echo json_encode($myVarValue, JSON_HEX_TAG); ?>;
    //                                            ^^^^^^^^^^^^^^
    alert(myvar);
</script>

Output:

<script>
    var myvar = "\u003C!--\u003Cscript\u003E";
    alert(myvar);
</script>

It alerts <!--<script>. Hurray!

It works because there's no more <!--<script> in the output, so no more HTML parsing problems.

Note: you don't need JSON_HEX_TAG if you're not printing into a <script> block.

_{[1] Here, "ok" merely means it is free from the <!--<script> issue. Dynamically generating external JavaScript files is not remended as it has tons of disadvantages, such as those stated here, here, here.}

---

About question 2: initial page load time

Actually, it's rather obvious. If the time needed to obtain the value of $myVarValue is long (e.g. you're fetching lots of data from DB), PHP will have to wait, so is the browser, and the user. That means longer initial page load time. If you load the data later with Ajax instead, they won't have to wait to see the initial result, but then, the Ajax call would be an extra HTTP request, so it means more workload to the server, and more load to the network.

Of course, each method has its pros and cons, so you have to decide. I suggest reading this excellent Q & A.

Pretty sure that won't break it. The whole point of json_encode is that it's safe to dump.

</script> might break it, but PHP escapes / as \/ by default so you shouldn't have to worry about it.

本文标签： Most efficient way to pass PHP variables to external JavaScript (or jQuery) fileStack Overflow