问题描述
我有一个应用程序,用户可以在其中将HTML和ASP代码段存储在数据库中.问题是,当我动态填充textarea控件时,HTML片段中可能包含的所有各种字符都将导致页面无法正确呈现.
I've got an application where users can store snippets of HTML and ASP code in a database. The trouble is, when i dynamically populate the textarea control, all the various characters that can be in an HTML snippet will cause the page to not render properly.
在输出到浏览器之前,有人可以给我指出有关去除/替换各种字符的指南/方法吗?
Can someone point me to a guideline/how-to on stripping out / replacing various characters before outputting to the browser?
我是否要去除尖括号并替换为站立字符?我是否要强迫用户输入<和>而不是尖括号?还是有一种更简单的方法?
Do I strip out the angle brackets and replace with a stand-in character? Do i force my users to enter < and > instead of angle brackets? Or is there a much easier way of doing this?
推荐答案
一个好的习惯是使用Server.httpUtility类中的HTMLEncode和HTMLDecode.
A good habit to be in is to use HTMLEncode and HTMLDecode from the Server.httpUtility class.
只需替换<和>或手动解析html可能会很麻烦,并且您可能不太一劳永逸".
Simply replacing < and > or manually parsing out html can be troublesome and you may not quite "get it all".
通过始终在任何输入到屏幕上的用户输入或文本上调用HTMLEncode和HTMLDecode,可以大大降低跨站点脚本编写和其他常见Web漏洞(例如SQL注入)的风险.永远不要将其用作仅 的安全/卫生机制,但它易于实现且有效.
By always calling HTMLEncode and HTMLDecode on any user input or text written to the screen, you greatly reduce the risk of Cross-site scripting and other common web vulnerabilities (like SQL injection). It should never be used as the only security/sanitation mechanism, but it is easy and effective to implement.
这篇关于在ASP.NET中的Textarea中显示HTML和其他代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!