我需要HTML的EN code标题属性(工具提示)? [英] Do I need to html-encode title attributes (tooltips)?
问题描述
在我的标记,我使用 HTML title属性我通过各种ASP.NET的工具提示属性设置像 ASP控件:标签。这些书籍的内容来自数据库,我使用数据绑定语法,例如:
In my markup I am using HTML title attributes which I set by the Tooltip property of various ASP.NET controls like an asp:Label. The content of those titles come from a database and I use data binding syntax, for instance:
<asp:Label ID="PersonLabel" runat="server"
Text='<%# HttpUtility.HtmlEncode(Eval("PersonShortName")) %>'
ToolTip='<%# HttpUtility.HtmlEncode(Eval("PersonFullName")) %>' />
现在,工具提示似乎要被显示为在Windows纯文本和我已经测试的浏览器。因此,HTML编码的是不是我真正想要的,我倾向于删除编码。
Now, tooltips seem to be displayed as plain text on Windows and in the browsers I have tested. So the HTML-encoding is not what I really want and I am inclined to remove the encoding.
可这是在任何方面危险的,如果数据库字段可能包含脚本标签的例子吗?我的问题基本上是:是它始终确保HTML的标题属性显示为纯文本?他们是否始终显示为在所有的提示,或者是有可能,有些浏览器(或操作系统)以另一种方式显示出来,并允许和渲染HTML内容的标题属性?
Can this be dangerous in any way if the database fields may contain script tags for example? My question is basically: Is it always guaranteed that HTML-title attributes are displayed as plain text? Are they always displayed as tooltips at all, or is it possible that some browsers (or OSs) display them in another way and allow and render HTML content in the title attributes?
编辑:
在一些看来我没有那句我的问题以及问题的答案看,所以这里有一些补充:
Looking at some of the answers it seems I didn't phrase my question well, so here are some additions:
如果我在code段以上 PersonShortName 在我的数据库,并为PM的 PersonFullName 在它的非ASCII字符,如变音符号在彼得·穆勒的提示浏览器中显示的名称彼得·M&放大器;#252;缪勒我申请的时候 HttpUtility.HtmlEn code 像code例子 - 这是丑陋的。
If I have in the code snippet above a PersonShortName of "PM" in my database and as the PersonFullName a name with non-ASCII characters in it like Umlauts in "Peter Müller" the browser displays in the tooltip Peter Müller when I apply HttpUtility.HtmlEncode like in the code example - which is ugly.
我还测试了一个简单的HTML片段,如:
I've also tested a simple HTML fragment like:
<span title="<script>alert('Evil script')</script>" >Hello</span>
在title属性的脚本并没有启用Javascript的浏览器(火狐测试)中运行,而不是它显示在工具提示为纯文本。因此,我的猜测是,标题属性始终呈现为纯文本。
The script in the title attribute didn't run in a browser with enabled Javascript (tested with Firefox), instead it was displayed in the tooltip as plain text. Therefore my guess was that title attributes are always rendered as plain text.
但正如菲利普Alsacreations如下回答存在富提示插件,这可能会导致title属性为HTML。因此,在这种情况下,编码是一件好事。但是,我怎么能知道?
But as Felipe Alsacreations answered below there exist "rich tooltip plugins" which may render the title attribute as HTML. So in this case encoding is a good thing. But how can I know that?
也许 HttpUtility.HtmlEn code 不是正确的解决方案,我必须只过滤HTML标签而不是连接code简单的特殊字符,使确保纯文本显示正确,保护丰富的HTML工具提示在同一时间。但它看起来像一个代价高昂的工作 - 只为一个简单的提示
Perhaps HttpUtility.HtmlEncode isn't the right solution and I have to filter only HTML tags but not encode simple special characters to make sure that the plain text is displayed correctly and to protect "rich HTML tooltips" at the same time. But it looks like a costly work - only for a simple tooltip.
推荐答案
始终消毒输出到浏览器。
如果像&GT值;&LT;脚本&GT;布拉布拉&LT; / SCRIPT&GT; 插入为您的字段的值,用户基本上可以接管你的整个网站它可能会弄得一团糟,当谈到验证和正确的code,但脚本仍将运行。
If a value like "><script>blabla</script> is inserted as a value for your fields, a user can essentially take over your entire site. It will probably make a mess when it comes to validation and correct code, but the script will still be run.
因此,要回答你的问题:不,它不能保证,如果用户知道他/她在做HTML的标题属性显示为纯文本的
So to answer your question: No, it is not guaranteed that HTML-title attributes are displayed as plain text if the user knows what he/she is doing.
这篇关于我需要HTML的EN code标题属性(工具提示)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
