HttpUtility.HtmlAttributeEncode的缺点 [英] Disadvantage of HttpUtility.HtmlAttributeEncode

问题描述

我必须对字段进行编码，以确保脚本注入的安全性.

I have to encode a field so to make it secure of script injection.

我知道我可以使用HttpUtility.HtmlEncode和Decode，但是这种用于HI-ASCII字符的方法超出了数据库中字段大小的范围，并且我不想更改数据字段列的大小.

I know I can use HttpUtility.HtmlEncode and Decode, but this method for HI-ASCII characters goes out of the range of the field size in database and I dont want to change the size of data field column.

如果我使用HttpUtility.HtmlAttributeEncode，它可以正常工作，因为它不编码HI-ASCII字符.

Instead if I use HttpUtility.HtmlAttributeEncode, it works fine because it does not encode the HI-ASCII characters.

安全吗?它的缺点是什么?

Is it safe what can be the disadvantages of it.

推荐答案

来自 HttpUtility.. ::.HtmlAttributeEncode方法(字符串):

HtmlAttributeEncode方法仅将引号()，与号(&)和左尖括号(<)转换为等效的字符实体.它比HtmlEncode方法要快得多.

The HtmlAttributeEncode method converts only quotation marks ("), ampersands (&), and left angle brackets (<) to equivalent character entities. It is considerably faster than the HtmlEncode method.

HtmlAttributeEncode方法的字符串结果应仅用于双引号属性.在将HtmlAttributeEncode方法与单引号属性一起使用时，可能会出现安全问题.

The string result from the HtmlAttributeEncode method should be used only for double-quoted attributes. Security issues might arise when using the HtmlAttributeEncode method with single-quoted attributes.

但是，将编码后的输入存储在数据库中并不是通常的做法.很难预测编码版本将持续多长时间.

However it is not a usual practice to store the encoded input in the database. It is difficult to predict how much longer an encoded version will become.

更好的是直接存储输入，并且仅在需要时(以HTML输出时)对其进行编码.

Much better is directly store the input, and only encode it when needed (when you output it in HTML).

这篇关于HttpUtility.HtmlAttributeEncode的缺点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！