为什么 _.escape 会修改 Underscore.js 中的/字符? [英] why does _.escape modify / characters in Underscore.js?

问题描述

我浏览了 Underscore.js api，我注意到 _.escape 转义 &、<、>、"、' 和 / 字符.让我惊讶的是转义 /.

I was looking through the Underscore.js api and I noticed that _.escape escapes &, <, >, ", ', and / characters. What surprised me was escaping /.

是否有理由转义我不知道的 / 字符?

Is there a reason to escape / characters that I don't know about?

推荐答案

EDIT: 好的，显然是 OWASP 因为它有助于结束 HTML 实体".

EDIT: Alright, apparently, it is recommended by OWASP as it "helps end a HTML entity".

使用 HTML 实体编码对以下字符进行转义以防止切换到任何执行上下文，例如脚本、样式或事件处理程序.规范中建议使用十六进制实体.此外到 XML 中的 5 个重要字符(&、<、>、"、')，向前包含斜线是因为它有助于结束 HTML 实体.

Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

& --> &
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27;     &apos; is not recommended
/ --> &#x2F;     forward slash is included as it helps end an HTML entity

这篇关于为什么 _.escape 会修改 Underscore.js 中的/字符?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！