我真的需要编码'&'作为'& amp;'? [英] Do I really need to encode '&' as '&'?
问题描述
我在网站的< title> $ c $中使用带有HTML5和UTF-8的
&
c>。
I'm using an '&
' symbol with HTML5 and UTF-8 in my site's <title>
. Google shows the ampersand fine on its SERPs, as do all the browsers in their titles.
http://validator.w3.org 给我这个:
&没有启动一个字符引用。 (& amp; amp;
& did not start a character reference. (& probably should have been escaped as
&
.)
我真的需要做& amp;
?
我不太在意我的网页验证
I'm not fussed about my pages validating for the sake of validating, but I'm curious to hear people's opinions on this and if it's important and why.
推荐答案
是的,我很高兴听到别人对这个问题的意见,以及为什么。正如错误所说,在HTML中,属性是#PCDATA意味着它们被解析。这意味着您可以在属性中使用字符实体。使用&
本身是错误的,如果不是宽松的浏览器和事实,这是HTML不是XHTML,将破坏解析。只需将其转换为& amp;
,一切都会很好。
Yes. Just as the error said, in HTML, attributes are #PCDATA meaning they're parsed. This means you can use character entities in the attributes. Using &
by itself is wrong and if not for lenient browsers and the fact that this is HTML not XHTML, would break the parsing. Just escape it as &
and everything would be fine.
HTML5允许你不转义,但仅当后面的数据看起来不像有效的字符引用时。但是,最好只是转义这个符号的所有实例,而不必担心哪些应该是和哪些不需要。
HTML5 allows you to leave it unescaped, but only when the data that follows does not look like a valid character reference. However, it's better just to escape all instances of this symbol than worry about which ones should be and which ones don't need to be.
请记住这一点;如果你不逃避&对于你创建的数据(代码很可能是无效的),你可能不会转义标签分隔符,这是一个巨大的问题为用户提交的数据,这可能很好地导致到HTML和脚本注入,cookie偷取和其他漏洞。
Keep this point in mind; if you're not escaping & to &, it's bad enough for data that you create (where the code could very well be invalid), you might also not be escaping tag delimiters, which is a huge problem for user-submitted data, which could very well lead to HTML and script injection, cookie stealing and other exploits.
请跳过您的代码。它将为您节省很多麻烦。
Please just escape your code. It will save you a lot of trouble in the future.
这篇关于我真的需要编码'&'作为'& amp;'?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!