htmlspecialchars - 与其他所有属性相比，对属性的不同转义? [英] htmlspecialchars - different escaping for attributes compared to everything else?

问题描述

我一直在阅读 htmlspecialchars() 以从数据库中转义用户输入和用户输入.在任何人说任何话之前，是的，我正在过滤 db 输入以及使用带有绑定的准备好的语句.我只关心保护输出.

I have been reading up on htmlspecialchars() for escaping user input and user input from the database. Before anyone says anything, yes, I am filtering on db input as well as using prepared statements with bindings. I am only concerned about securing the output.

我对何时使用 ENT_COMPAT、ENT_QUOTES、ENT_NOQUOTES 感到困惑.我在做研究时发现了以下摘录:

I am confused as to when to use ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES. I came across the following excerpt while doing my research:

htmlspecialchars() 调用中的第二个参数是 ENT_COMPAT.我有使用它是因为它是一个安全的默认值:它也会转义双引号字符 ".如果你真的需要这样做在 HTML 属性中输出(例如 <img src="<?php echo htmlspecialchars($img_path, ENT_COMPAT, 'UTF-8')">).你可以用ENT_NOQUOTES 其他任何地方.

The second argument in the htmlspecialchars() call is ENT_COMPAT. I've used that because it's a safe default: it will also escape double-quote characters ". You only really need to do that if you're outputting inside an HTML attribute (like <img src="<?php echo htmlspecialchars($img_path, ENT_COMPAT, 'UTF-8')">). You could use ENT_NOQUOTES everywhere else.

我在其他地方也发现了类似的评论.为属性转换单引号和/或双引号但不在其他地方转换它们的目的是什么?我唯一能想到的是，如果您将实际的 html 添加到页面中，例如:

I have found similar comments elsewhere as well. What is the purpose of converting single and/or double quotes for attributes yet not converting them elsewhere? The only thing I can think of is if you were adding actual html into the page for instance:

我的变量是:<img src="somepic.jpg" alt="some text"> 如果您在此处转换双引号，则由于转义引号将无法正确呈现.在摘录中给出的示例中，虽然我什至想不出会使用任何类型引用的实例.

My variable is : <img src="somepic.jpg" alt="some text"> if you converted the double quotes here it would not render properly because of the escaped quotes. In the example given in the excerpt though I can't even think of an instance where any type of quote would be used.

其次，在这个特定的参考中，它说在其他任何地方都使用 ENT_NOQUOTES.为什么?我个人的想法是告诉我在任何地方使用 ENT_QUOTES 和 ENT_NOQUOTES 当且仅当变量是需要它们的实际 html 属性时.

Secondly, in this particular reference it says to use ENT_NOQUOTES everywhere else. Why? My personal thought process is telling me to use ENT_QUOTES everywhere and ENT_NOQUOTES if and only if the variable is an actual html attribute that requires them.

我已经做了很多搜索和阅读，但仍然对所有这些感到困惑.我的主要目标是确保页面的输出安全，因此不会发生 html、php、js 操作.

I've done lots of searching and reading, but still confused about all of this. My main goal is to secure output to the page so there is no html, php, js manipulation happening.

推荐答案

只需在任何地方使用 ENT_QUOTES.PHP 会在您需要时提供选项，但在 99% 的情况下您不需要.不必要地转义引号是无害的.

Just use ENT_QUOTES everywhere. PHP gives the option in case you need it, but 99% of the time you don't. Escaping the quotes unnecessarily is harmless.

htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

因为代码太长，不能到处写，所以把它包装在一些小函数中.

Because that code is just too long to keep writing everywhere wrap it in some tiny function.

function es($string) {
  return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}

这篇关于htmlspecialchars - 与其他所有属性相比，对属性的不同转义?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！