问题描述

我有一个应用程序，用户可以在其中将HTML和ASP代码段存储在数据库中.问题是，当我动态填充textarea控件时，HTML片段中可能包含的所有各种字符都将导致页面无法正确呈现.

I've got an application where users can store snippets of HTML and ASP code in a database. The trouble is, when i dynamically populate the textarea control, all the various characters that can be in an HTML snippet will cause the page to not render properly.

在输出到浏览器之前，有人可以给我指出有关去除/替换各种字符的指南/方法吗?

Can someone point me to a guideline/how-to on stripping out / replacing various characters before outputting to the browser?

我是否要去除尖括号并替换为站立字符?我是否要强迫用户输入<和>而不是尖括号?还是有一种更简单的方法?

Do I strip out the angle brackets and replace with a stand-in character? Do i force my users to enter < and > instead of angle brackets? Or is there a much easier way of doing this?

推荐答案

一个好的习惯是使用Server.httpUtility类中的HTMLEncode和HTMLDecode.

A good habit to be in is to use HTMLEncode and HTMLDecode from the Server.httpUtility class.

只需替换<和>或手动解析html可能会很麻烦，并且您可能不太一劳永逸".

Simply replacing < and > or manually parsing out html can be troublesome and you may not quite "get it all".

通过始终在任何输入到屏幕上的用户输入或文本上调用HTMLEncode和HTMLDecode，可以大大降低跨站点脚本编写和其他常见Web漏洞(例如SQL注入)的风险.永远不要将其用作仅 的安全/卫生机制，但它易于实现且有效.

By always calling HTMLEncode and HTMLDecode on any user input or text written to the screen, you greatly reduce the risk of Cross-site scripting and other common web vulnerabilities (like SQL injection). It should never be used as the only security/sanitation mechanism, but it is easy and effective to implement.

这篇关于在ASP.NET中的Textarea中显示HTML和其他代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！