如何以及何时使用Html编码 [英] How and when to use Html encode

问题描述

我最近了解到，我不应该在数据库中存储html编码的数据，但我应该对用户屏幕上显示的数据进行html编码。
没什么大不了的，我必须解决我的数据库记录并做一些代码修改。

但是我的问题是，何时应该使用html编码，何时应该't I.
例如，在一个html表格中，我直接从数据库写入列的内部HTML。如果没有编码，这将是危险的，我明白了。

设置文本框的值时怎么办？它似乎工作，而不必html的值编码。但我不知道为什么。这是文本框的样子：

 < input type =textboxvalue =xxx/> 
  

但是，将值设置为：/>< p style

<$ p $测试黑客< / p>
< / p>< code>< input type =textboxvalue =/>< p style =font-size：100px; code>

虽然看起来很好，但p-tag不能按照黑客的意图工作，它看起来很好。

是否有人得到我想要的目标:)？
如果我尝试将html设置为文本框值，则结果将显示 & lt等等，这不是我想要的。

所以简而言之：我是否应该只将html设置为html-controls的innerHtml ，而不是当设置，例如，文本框的值？

解决方案

答案来自于jh和我的讨论对这个问题发表评论，我不确定标记为答案，所以我决定回答米你自己的问题。我希望没关系。

似乎在设置属性的值时（如文本框的值），.NET自动将html编码为值，因此不需要自己做。

当设置一个html控制内部HTML时，重要的是你做html编码值。

感谢Thejh，对不起，我写不出任何投票。

编辑：我不能将这标记为另外两天的答案。

I've recently learned that i shouldn't store html encoded data in the database, but i should rather html encode the data that is shown on the screen for the user. No big deal, i have to fix my database records and make some code changes.

But my question is, when should I use html encode and when shouldn't I. For example, within a html table, I'm writing directly from the database to the inner HTML of a column. Without encoding this would be dangerous, I get that.

What about when setting the value of a textbox. It seems to work without having to html encode the value. But I'm not sure why. This is what the textbox look like:

<input type="textbox" value="xxx"/>

But when setting the value to: "/><p style="font-size: 100px;">testing hack</p> The html source will be:

<input type="textbox" value=""/><p style="font-size: 100px;">testing hack</p>

It will look fine though when viewed so the p-tag isn't working as intended by the "hack".

Is anyone getting what I'm trying to aim at :) ? If I do try to html encode something i set to a textbox value, the result will display "&lt" and so on, which is not what I intended.

So in short: Should I only html encode stuff that is set to the innerHtml of html-controls, and not when setting the value of, for example, textboxes?

解决方案

The answer came out of thejh's and my discussion in the comment to the question. I was not sure what to mark as answer so I decided to answer my own question. I hope that's ok.

It seems like when setting a value of an attribute (like the textbox's "value") .NET automatically html encodes the value so there is no need to do this by yourself.

When setting a html controls inner HTML though, it's important that you do html encode the value.

Thanks Thejh, sorry I couldn't up vote anything u wrote.

edit: I can't mark this as the answer for another 2 days.

这篇关于如何以及何时使用Html编码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！