Html 如何在网页表单中输入空字符?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/6961208/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-29 09:55:15  来源:igfitidea点击:

How to input a null character into a web form?

htmlforms

提问by frankadelic

I am testing an ASP.NET web form which needs to filter out null characters from input.

我正在测试一个 ASP.NET Web 表单,它需要从输入中过滤掉空字符。

To test this functionality, how can I actually type a null character in the html form? I've tried Alt+0 but it does not work.

要测试此功能,我如何在 html 表单中实际键入空字符?我试过 Alt+0 但它不起作用。

I know I can do it in a GET request by using "%00" in the URL. However, I want to do it in a form POST.

我知道我可以通过在 URL 中使用“%00”在 GET 请求中做到这一点。但是,我想以 POST 形式进行。

采纳答案by frankadelic

I was able to do this using TamperData Firefox plugin.

我能够使用 TamperData Firefox 插件来做到这一点。

https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

When given the Tamper Popup I typed "%00" in the Post Parameter Value field.

当给出 Tamper Popup 时,我在 Post Parameter Value 字段中输入了“%00”。

Still, I cannot find a way to type a null character just using the keyboard.

尽管如此,我还是找不到仅使用键盘键入空字符的方法。

回答by Jonathan H.

my suggestion would be to write the null character to an html element you would like it in ex:

我的建议是将空字符写入您希望在 ex 中使用的 html 元素:

    document.getElementByID("my_null_tag").innerHTML += "
<html>
    <body onload='document.forms[0].submit();'>
        <form method="post" action="http://localhost/test.asp" >
            <input type="hidden" name="param" value="%00">
        </form>
    </body>
</html>
"

回答by Pierre Ernst

&#0;

回答by álvaro González

You can use an HTML entity. Not fully sure of how many zeroes are required but:

您可以使用 HTML 实体。不完全确定需要多少个零,但是:

javascript:(function(){var xhr=new XMLHttpRequest();xhr.onreadystatechange=function(){if(this.readyState==4){document.write(this.responseText)}};xhr.open("POST",'/form',true);xhr.send("
(function() {
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function () {
        if (this.readyState == 4) {
            document.write(this.responseText);
        }
    };
    xhr.open("POST", '/form', true);
    xhr.send("
$dbstring = str_replace(?,NULL); and the value will be NULL
"); })()
");})()

For an arbitrary Unicode character it's easier to use the hexadecimal notation. E.g., &#x335D;prints ㍝ wich is U+335D.

对于任意 Unicode 字符,使用十六进制表示法更容易。例如,&#x335D;打印 ㍝ 是U+335D



Update:This question is pretty tricky indeed. I've managed to insert a null character inside an HTML document (using a server-side script and verified with an hexadecimal editor). As expected, there is no difference with the HTML entity, which can be either &#0;or &#x0;. But the browser does not send the character in the post request (tested with Firefox and Firebug): it sends %EF%BF%BD, which is REPLACEMENT CHARACTER' (U+FFFD). Exactly, it sends the interrogation mark in a box that's used to print the null in the document (given that null is not printable).

更新:这个问题确实很棘手。我设法在 HTML 文档中插入了一个空字符(使用服务器端脚本并使用十六进制编辑器进行验证)。正如预期的那样,存在与HTML实体,其可以是无差异任一&#0;&#x0;。但是浏览器不会发送 post 请求中的字符(用 Firefox 和 Firebug 测试):它发送%EF%BF%BD, 即REPLACEMENT CHARACTER' (U+FFFD)。确切地说,它在用于打印文档中的空值的框中发送询问标记(假设空值不可打印)。

My guess is that your testers need to script the task.

我的猜测是您的测试人员需要编写任务脚本。

回答by mercator

Use AJAX to submit the form. I.e. paste something like this in the address bar instead:

使用 AJAX 提交表单。即在地址栏中粘贴类似的内容:

$dbstring = str_replace(?,""); and the value will be BLANK

Here it is unwrapped, so you can actually see it:

这是解开的,所以你可以真正看到它:

&Oslash; = ? (usually for null)
&oslash; = ? (could be used, but the upper-case version seems more appropriate.)

There are some limitations to this, of course, since it just blindly replaces the content of the current page with whatever it got back. But this might be enough to tell if something went wrong or not.

当然,这有一些限制,因为它只是盲目地用它返回的任何内容替换当前页面的内容。但这可能足以判断是否出现问题。

回答by QuakeDragon

A Latin character O with a slash through it is often acceptable as a symbol for Null/Nul (or blank if you prefer). If you are using database-driven applications you'll want to sanitize this symbol to replace with null or blank, depending on your needs.

带有斜线的拉丁字符 O 通常可以作为 Null/Nul 的符号(如果您愿意,也可以是空白)。如果您正在使用数据库驱动的应用程序,您将需要清理此符号以替换为 null 或空白,具体取决于您的需要。

How to do it:ALT + 0216 in your favorite editor should give you ? - which is, for this display purpose, Null.

怎么做:ALT + 0216 在你最喜欢的编辑器中应该给你什么?- 出于此显示目的,Null。

Then, as an example and a best practice, you'll sanitize the form submission before it gets passed to the database.

然后,作为示例和最佳实践,您将在表单提交传递到数据库之前对其进行清理。

Example Case:If feeding a database-driven PHP site, your sanitation of this specific character this might look something like...

示例案例:如果提供一个数据库驱动的 PHP 站点,您对这个特定字符的清理可能看起来像......

##代码##

Or try...

或者试试...

##代码##

!alternatively, you may want to do this display with the HTML entity codes, which I mention below.

或者,您可能希望使用我在下面提到的 HTML 实体代码进行此显示。

Alt + 0216 explainedIf using a normal 104-key keyboard with English (American) set as your primary language, hold down the ALT key, and while holding, use the NUMBER PAD keys to enter 0216. Then release the ALT key, and your character should appear. *This is primarily a Windows method. Macintosh, (X)nix and bsd users, you will probably be stuck using the HTML entity codes.

Alt + 0216 解释如果使用普通的 104 键键盘并将英语(美国)设置为您的主要语言,请按住 ALT 键,并在按住的同时使用数字键盘键输入 0216。然后松开 ALT 键,您的字符应该出现。*这主要是一种 Windows 方法。Macintosh、(X)nix 和 bsd 用户,您可能会被 HTML 实体代码卡住。

Special note:use of the top-of-keyboard numbers doesn't work. If you are on a laptop or other device that makes this difficult or impossible. try an alternative: Use the HTML entity codes:

特别注意:使用键盘顶部的数字不起作用。如果您使用的是笔记本电脑或其他使这变得困难或不可能的设备。尝试替代方法:使用HTML 实体代码:

##代码##

Other thoughts that might be helpful:Nul vs Null vs Blank - They fundamentally mean the same thing, but different programming languages use or require these differently. (There's others too, like NULPTR for Null Pointer.)

其他可能有用的想法:Nul vs Null vs Blank - 它们基本上意味着相同的事情,但不同的编程语言使用或要求这些不同。(还有其他的,比如 Null Pointer 的 NULPTR。)

The point I'm trying to make with NUL/NULL, is that the submitted variable 'doesn't exist' or simply 'wasn't there at all'. In most contexts, you can simply call this "Null" and be understood.

我试图用 NUL/NULL 说明的一点是,提交的变量“不存在”或干脆“根本不存在”。在大多数情况下,您可以简单地称其为“Null”并被理解。

Some database systems treat Blank and NULL as the same thing. Others, Blank is actually an empty value, whereas NULL is no value at all (like mentioned above.)

一些数据库系统将 Blank 和 NULL 视为同一件事。其他人,Blank 实际上是一个空值,而 NULL 根本没有值(如上所述)。

Hopefully this helps in building the view you're looking for.

希望这有助于构建您正在寻找的视图。