如何以及何时使用Html编码 [英] How and when to use Html encode
问题描述
我最近了解到,我不应该在数据库中存储html编码的数据,但我应该对用户屏幕上显示的数据进行html编码。
没什么大不了的,我必须解决我的数据库记录并做一些代码修改。
但是我的问题是,何时应该使用html编码,何时应该't I.
例如,在一个html表格中,我直接从数据库写入列的内部HTML。如果没有编码,这将是危险的,我明白了。
设置文本框的值时怎么办?它似乎工作,而不必html的值编码。但我不知道为什么。这是文本框的样子:
< input type =textboxvalue =xxx/>
但是,将值设置为:/>< p style
<$ p $测试黑客< / p>
< / p>< code>< input type =textboxvalue =/>< p style =font-size:100px; code>
虽然看起来很好,但p-tag不能按照黑客的意图工作,它看起来很好。
是否有人得到我想要的目标:)?
如果我尝试将html设置为文本框值,则结果将显示 & lt等等,这不是我想要的。
所以简而言之:我是否应该只将html设置为html-controls的innerHtml ,而不是当设置,例如,文本框的值?
答案来自于jh和我的讨论对这个问题发表评论,我不确定标记为答案,所以我决定回答米你自己的问题。我希望没关系。
似乎在设置属性的值时(如文本框的值),.NET自动将html编码为值,因此不需要自己做。
当设置一个html控制内部HTML时,重要的是你做html编码值。
感谢Thejh,对不起,我写不出任何投票。
编辑:我不能将这标记为另外两天的答案。
I've recently learned that i shouldn't store html encoded data in the database, but i should rather html encode the data that is shown on the screen for the user. No big deal, i have to fix my database records and make some code changes.
But my question is, when should I use html encode and when shouldn't I. For example, within a html table, I'm writing directly from the database to the inner HTML of a column. Without encoding this would be dangerous, I get that.
What about when setting the value of a textbox. It seems to work without having to html encode the value. But I'm not sure why. This is what the textbox look like:
<input type="textbox" value="xxx"/>
But when setting the value to: "/><p style="font-size: 100px;">testing hack</p>
The html source will be:
<input type="textbox" value=""/><p style="font-size: 100px;">testing hack</p>
It will look fine though when viewed so the p-tag isn't working as intended by the "hack".
Is anyone getting what I'm trying to aim at :) ? If I do try to html encode something i set to a textbox value, the result will display "<" and so on, which is not what I intended.
So in short: Should I only html encode stuff that is set to the innerHtml of html-controls, and not when setting the value of, for example, textboxes?
The answer came out of thejh's and my discussion in the comment to the question. I was not sure what to mark as answer so I decided to answer my own question. I hope that's ok.
It seems like when setting a value of an attribute (like the textbox's "value") .NET automatically html encodes the value so there is no need to do this by yourself.
When setting a html controls inner HTML though, it's important that you do html encode the value.
Thanks Thejh, sorry I couldn't up vote anything u wrote.
edit: I can't mark this as the answer for another 2 days.
这篇关于如何以及何时使用Html编码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!