问题描述

我有一个电子邮件模板，可以解析并发送（从当前Lead表单）作为参数发送到新电子邮件表单（从JavaScript）。

I have email template which I 'parse' and send (from current Lead form) as a parameter to new email form (from JavaScript).

var parameters = {};
parameters["subject"] = 'Subject name';
parameters["description"] = '<font face="Tahoma, Verdana, Arial" size=2 style="display:inline;"><br></font>';

Xrm.Utility.openEntityForm("email", null, parameters);

或

let serverUrl = "https://companyname.crm4.dynamics.com";

let extraqs = "subject=Subject name";
extraqs += '&description=<font face="Tahoma, Verdana, Arial" size=2 style="display:inline;"><br></font>';

let targetUrl = serverUrl.replace(/\/$/, "") + "/main.aspx?etn=email&pagetype=entityrecord&extraqs=" + encodeURIComponent(extraqs);
parent.open(targetUrl);

或

let serverUrl = "https://companyname.crm4.dynamics.com";

let extraqs = 'subject=' + encodeURIComponent('Subject name');
extraqs += '&description=' + encodeURIComponent('<font face="Tahoma, Verdana, Arial" size=2 style="display:inline;"><br></font>');

let targetUrl = serverUrl.replace(/\/$/, "") + "/main.aspx?etn=email&pagetype=entityrecord&extraqs=" + extraqs;
parent.open(targetUrl);

每次发送类似html标记的内容时都会出错（任何包含'< '或'>'符号）。

I get error every time I want to send anything look like as html tag (anything contains '<' or '>' sign).

是否可以通过参数发送我的html标记，这是否存在安全问题？

Is it possible at all, to send my html markup trough the parameters, is there any security issue with this ?

推荐答案

这可以通过 encodeURIComponent / decodeURIComponent 像这样：

This is solvable with encodeURIComponent / decodeURIComponent like this:

parameters["description"] = encodeURIComponent('<html here>');

另一方面，

var description = decodeURIComponent(incomingParameterHere);

以这种方式，您的HTML作为简单字符串通过。可以（应该吗？）应用于通过JS传递的所有字符串。

In this fashion your HTML passes through as a simple string. This can(should?) be applied to all strings being passed around via JS.