问题描述
我有一个HTML标签< textarea> $ FOO< / textarea>
, $ FOO
被任意的HTML和JavaScript内容填充,以在textarea中显示和编辑。什么样的逃跑我neet适用于$ FOO?
I have a HTML Tag <textarea>$FOO</textarea>
and the $FOO
Variable will be filled with arbitrary HTML and JavaScript Content, to be displayed and edited within the textarea. What kind of "escaping" do I neet to apply to $FOO?
我第一次转义它的HTML,但这没有奏效(因为我会然后显示不是原始的HTML代码$ FOO,而是转义的内容,这当然不是我想要的:我想显示变量的非转义的HTML / JS内容...
I first tought of escaping it HTML but this didnt work (as I will then get shown not the original HTML Code of $FOO but rather the escaped content. This is of course not what I want: I want to be displayed the unescaped HTML/JS Content of the variable...
在< textarea>
标签中显示HTML内容是否是不可能的,并且允许它作为完整的HTML进行编辑?
Is it impossible to display HTML Content within a <textarea>
tag and also allow it to be editable as full HTML?
感谢
jens
thanksjens
推荐答案
是的,没错。< textarea>
与任何其他元素(如< span>
或< p>
)的内容没有区别:if你想在里面放一些文本,必须将HTML中的任何<
或&
字符转义为& lt;
和& am
< textarea>
Yes, that's right. The contents of a <textarea>
are no different from the contents of any other element like a <span>
or a <p>
: if you want to put some text inside you must HTML-escape any <
or &
characters in it to <
and &
respectively.
浏览器确实会给您带来更多的回旋余地。 code> s,因为无效的未转义的<
符号的回退是将它们呈现为文本而不是标记,但这并不会使它变得更少错误的或危险的(对于XSS)。
Browsers do tend to give you more leeway with fault markup in <textarea>
s, in that the fallback for invalid unescaped <
symbols is to render them as text instead of tags, but that doesn't make it any less wrong or dangerous (for XSS).
请发布您没做过的工作。 HTML转义绝对是正确的。
Please post what you did that didn't work. HTML-escaping is definitely the right thing.
这篇关于HTML:< textarea> -Tag:如何正确转义那里显示的HTML和JavaScript内容?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!