hx-vars注意:hx-vars 已被弃用,取而代之的是 hx-vals,默认情况下更安全。
¥NOTE: hx-vars has been deprecated in favor of hx-vals, which is safer by default.
hx-vars 属性允许你动态添加到将随 AJAX 请求提交的参数。
¥The hx-vars attribute allows you to dynamically add to the parameters that will be submitted with an AJAX request.
此属性的值是用逗号分隔的 name:<expression> 值列表,与 javascript 对象字面量 的内部语法相同。
¥The value of this attribute is a comma separated list of name:<expression> values, the same as the internal
syntax of javascript Object Literals.
<div hx-get="/example" hx-vars="myVar:computeMyVar()">Get Some HTML, Including A Dynamic Value in the Request</div>
¥Security Considerations
hx-vars 中的表达式是动态计算的,允许你添加将要执行的 JavaScript 代码。请注意,永远不要信任表达式中的用户输入,因为这可能会导致 跨站点脚本 (XSS) 漏洞。如果你正在处理用户输入(例如查询字符串或用户生成的内容),请考虑使用 hx-vals,这是一种更安全的替代方案。
¥The expressions in hx-vars are dynamically computed which allows you to add JavaScript code that will be executed. Be careful to never trust user input in your expressions as this may lead to a Cross-Site Scripting (XSS) vulnerability. If you are dealing with user input such as query strings or user-generated content, consider using hx-vals which is a safer alternative.
¥Notes
hx-vars 是继承的,可以放在父元素上。
¥hx-vars is inherited and can be placed on a parent element.
变量的子声明覆盖父声明。
¥A child declaration of a variable overrides a parent declaration.
具有相同名称的输入值将被变量声明覆盖。
¥Input values with the same name will be overridden by variable declarations.