&安培;和& amp; [英] & and &
问题描述
如何阻止浏览器转换
& amp;
到
& ?
我们的系统中有一个textarea,用户可以输入一些HTML代码
并将其保存到数据库中。当数据退出并重新显示时,它显示为简单&。
HTML代码段:
< TEXTAREA NAME =" p_html" ROWS = 6 COLS = 70 ALIGN =VIRTUAL WRAP =" YES">
fred
&
& amp;
< / TEXTAREA>
显示后,用户可以预见地看到
fred
&
&
有什么办法解决这个问题 - 我确定这是一个问题
其他人 - 有没有办法逃避 ;显示前的价值?
-
jeremy
Jeremy写道:
我们的系统中有一个textarea,用户可以输入一些HTML代码
并保存到数据库。
用户不能输入HTML代码。进入< textarea>他们输入什么_is_
纯文本,他们可能_intend_后来解释为
它是HTML。为了帮助他们这样做,您必须首先将他们的简单
文本转换为输入HTML - 此过程的一部分将是编码
他们的明文&进入HTML& amp;,可能就在存储
之前。
服务器代码中的良好变量命名也会有所帮助 - 尝试前缀
带有strUserJunk或htmlUserJunk的
变量作为适当的。每当
你看到代码用不匹配的名字来分配变量时,就会怀疑是否存在编码/解码过程。
这个东西并不难做,但它需要清晰的思考和
注重细节。如果你让用户
发布任意大量的HTML,那么正确的做法也是非常重要的(你可以在博客上做一些有趣的攻击)。
Jeremy< je ******** @ gmail.com>写道:
如何阻止浏览器转换
&
到
&安培; ?
如果文档以文本/ html格式提供,则不能。
如果您希望浏览器显示& amp;字面上在文件中作为
text / html使用& amp;
根据您的需要,可以将其作为文本提供/ plain
在这种情况下你可以使用文字。这也可以嵌入到作为text / html的
文档中。
我们的系统中有一个textarea,用户可以输入一些HTML代码
并将其保存到数据库中。当数据退出并重新显示时,它显示为简单& ;.
HTML片段:
< TEXTAREA NAME =" p_html" ROWS = 6 COLS = 70 ALIGN =VIRTUAL WRAP =" YES">
<
&
< / TEXTAREA>
显示时,用户可预测看到了
fred
&
&
你还没弄清楚它的用途是什么for,但也许你的服务器
边数据处理需要转换用户输入的字符引用(&b; b& amp;& amp; amp; amp; amp; amp; amp; amp; amp; amp; amp; />
-
Spartanicus
文章< 11 ********* ************@p10g2000cwp.googlegroups。 com>,Andy
Dingley说...用户无法输入HTML code。进入< textarea>他们输入什么_is_
纯文本,他们可能会_后来解释它好像是HTML。为了帮助他们这样做,你必须首先将输入的简单文本转换成HTML - 这个过程的一部分是编码他们的明文&可能就在存储
之前的HTML& amp;& ;;
在您的服务器代码中使用良好的变量命名也会有所帮助 - 尝试使用&前缀
变量; strUserJunk",或htmlUserJunk作为适当的。每当你看到用不匹配的名字来分配变量的代码时,就会怀疑是否缺少编码/解码过程。
这个东西并不难要做,但它需要清晰的思考和对细节的关注。如果你让用户
发布任意大量的HTML,那么做到正确也是非常重要的(你可以在博客上做一些有趣的攻击等等。)
是的,我理解这一切。用户输入& amp;进入一个领域并且
提交表格。 & amp; amp; amp; amp;存储在数据库中,由
用户键入。重新显示数据进行编辑时,浏览器会更改
& amp;简单地&
所以它实际上与变量命名无关等等 -
问题是我们如何向用户呈现他们进入现场的数据是什么?
-
jeremy
How can one stop a browser from converting
&
to
& ?
We have a textarea in our system wehre a user can type in some html code
and have it saved to the database. When the data is retireved and
redisplayed it is displayed as simply &.
HTML snippet:
<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
fred
&
&
</TEXTAREA>
When displayed, the user predictably sees
fred
&
&
What workarounds are there for this - I am sure it''s a problem for
others - is there a way of "escaping" the value before display?
--
jeremy
Jeremy wrote:
We have a textarea in our system wehre a user can type in some html code
and have it saved to the database.
Users can''t type "HTML code" into a <textarea> What they type _is_
plain text, which they might _intend_ to have interpreted later as if
it were HTML. To help them do this you must first convert their plain
text as entered into HTML - part of this process would be to encode
their plaintext "&" into the HTML "&", probably just before storing
it.
Good variable naming in your server code will help too - try prefixing
variable with "strUserJunk", or "htmlUserJunk" as appropriate. Whenever
you see code that assigns variables with mis-matched names, be
suspicious that there''s an encoding / decoding process missing.
This stuff isn''t hard to do, but it does require clarity of thought and
attention to detail. It''s also very important to get right (there are
some interesting attacks you can make on blogs etc. if you let users
post arbitrary chunks of HTML).
Jeremy <je********@gmail.com> wrote:
How can one stop a browser from converting
&
to
& ?
You can''t if the document is served as text/html.
If you want a browser to display & literally in a document served as
text/html use &amp;
Depending on what you need it may be possible to serve it as text/plain
in which case you can use the literal. This can also be embedded into a
document served as text/html.
We have a textarea in our system wehre a user can type in some html code
and have it saved to the database. When the data is retireved and
redisplayed it is displayed as simply &.
HTML snippet:
<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
fred
&
&
</TEXTAREA>
When displayed, the user predictably sees
fred
&
&
You haven''t made it clear what this is used for, but maybe your server
side data processing needs to convert character references (not just
&) that the user enters to &char_ref
--
Spartanicus
In article <11*********************@p10g2000cwp.googlegroups. com>, Andy
Dingley says...Users can''t type "HTML code" into a <textarea> What they type _is_
plain text, which they might _intend_ to have interpreted later as if
it were HTML. To help them do this you must first convert their plain
text as entered into HTML - part of this process would be to encode
their plaintext "&" into the HTML "&", probably just before storing
it.
Good variable naming in your server code will help too - try prefixing
variable with "strUserJunk", or "htmlUserJunk" as appropriate. Whenever
you see code that assigns variables with mis-matched names, be
suspicious that there''s an encoding / decoding process missing.
This stuff isn''t hard to do, but it does require clarity of thought and
attention to detail. It''s also very important to get right (there are
some interesting attacks you can make on blogs etc. if you let users
post arbitrary chunks of HTML).
Yep I understand all of that. The user types & into a field and
submits the form. The & is stored in the database as typed by the
user. When the data is redisplayed for editing, the browser changes the
& to simply &
So it really has nothing to do with variable naming and so on - the
question is how can we present back to the user the data that they
entered into the field?
--
jeremy
这篇关于&安培;和& amp;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
