HTML:我应该编码大于还是不大于?( > > ) [英] HTML: Should I encode greater than or not? ( > > )

问题描述

在编码可能不安全的数据时，是否有理由对 > 进行编码?

When encoding possibly unsafe data, is there a reason to encode >?

• 它验证任一方式.
• 浏览器以任何一种方式解释相同，(在 attr="data"、attr='data'、<tag>data</tag>)

• It validates either way.
• The browser interprets the same either way, (In the cases of attr="data", attr='data', <tag>data</tag>)

我认为有人会这样做的原因是

I think the reasons somebody would do this are

• 简化基于正则表达式的标签移除.<[^>]+>?(罕见)
• 未加引号的字符串attr=data.:-o(没有发生！)
• 代码中的美学.(那又怎样?)

• To simplify regex based tag removal. <[^>]+>? (rare)
• Non-quoted strings attr=data. :-o (not happening!)
• Aesthetics in the code. (so what?)

我错过了什么吗?

推荐答案

严格来说，为了防止 HTML 注入，你只需要将 < 编码为 <.

Strictly speaking, to prevent HTML injection, you need only encode < as <.

如果用户输入要放在属性中，也将 " 编码为 ".

If user input is going to be put in an attribute, also encode " as ".

如果你做对了，并且使用了正确引用的属性，你就不需要担心>.但是，如果您不确定这一点，您应该对其进行编码以确保安心 - 它不会造成任何伤害.

If you're doing things right and using properly quoted attributes, you don't need to worry about >. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.

这篇关于HTML:我应该编码大于还是不大于?( > > )的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！