本文介绍了HTML:我应该编码大于还是不大于?( > > )的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在编码可能不安全的数据时,是否有理由对 >
进行编码?
When encoding possibly unsafe data, is there a reason to encode >
?
- 它验证任一方式.
- 浏览器以任何一种方式解释相同,(在
attr="data"
、attr='data'
、<tag>data</tag>
)
- It validates either way.
- The browser interprets the same either way, (In the cases of
attr="data"
,attr='data'
,<tag>data</tag>
)
我认为有人会这样做的原因是
I think the reasons somebody would do this are
- 简化基于正则表达式的标签移除.
<[^>]+>?
(罕见) - 未加引号的字符串
attr=data
.:-o(没有发生!) - 代码中的美学.(那又怎样?)
- To simplify regex based tag removal.
<[^>]+>?
(rare) - Non-quoted strings
attr=data
. :-o (not happening!) - Aesthetics in the code. (so what?)
我错过了什么吗?
推荐答案
严格来说,为了防止 HTML 注入,你只需要将 <
编码为 <
.
Strictly speaking, to prevent HTML injection, you need only encode <
as <
.
如果用户输入要放在属性中,也将 "
编码为 "
.
If user input is going to be put in an attribute, also encode "
as "
.
如果你做对了,并且使用了正确引用的属性,你就不需要担心>
.但是,如果您不确定这一点,您应该对其进行编码以确保安心 - 它不会造成任何伤害.
If you're doing things right and using properly quoted attributes, you don't need to worry about >
. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.
这篇关于HTML:我应该编码大于还是不大于?( > &gt; )的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!