我真的需要编码'&'作为'& amp;'？ [英] Do I really need to encode '&' as '&'?

问题描述

我在网站的< title> & c>。

I'm using an '&' symbol with HTML5 and UTF-8 in my site's <title>. Google shows the ampersand fine on its SERPs, as do all the browsers in their titles.

http://validator.w3.org 给我这个：

&没有启动一个字符引用。 （& amp; amp;

& did not start a character reference. (& probably should have been escaped as &.)

我真的需要做& amp; ？

我不太在意我的网页验证

I'm not fussed about my pages validating for the sake of validating, but I'm curious to hear people's opinions on this and if it's important and why.

推荐答案

是的，我很高兴听到别人对这个问题的意见，以及为什么。正如错误所说，在HTML中，属性是#PCDATA意味着它们被解析。这意味着您可以在属性中使用字符实体。使用& 本身是错误的，如果不是宽松的浏览器和事实，这是HTML不是XHTML，将破坏解析。只需将其转换为& amp; ，一切都会很好。

Yes. Just as the error said, in HTML, attributes are #PCDATA meaning they're parsed. This means you can use character entities in the attributes. Using & by itself is wrong and if not for lenient browsers and the fact that this is HTML not XHTML, would break the parsing. Just escape it as & and everything would be fine.

HTML5允许你不转义，但仅当后面的数据看起来不像有效的字符引用时。但是，最好只是转义这个符号的所有实例，而不必担心哪些应该是和哪些不需要。

HTML5 allows you to leave it unescaped, but only when the data that follows does not look like a valid character reference. However, it's better just to escape all instances of this symbol than worry about which ones should be and which ones don't need to be.

请记住这一点;如果你不逃避&对于你创建的数据（代码很可能是无效的），你可能不会转义标签分隔符，这是一个巨大的问题为用户提交的数据，这可能很好地导致到HTML和脚本注入，cookie偷取和其他漏洞。

Keep this point in mind; if you're not escaping & to &, it's bad enough for data that you create (where the code could very well be invalid), you might also not be escaping tag delimiters, which is a huge problem for user-submitted data, which could very well lead to HTML and script injection, cookie stealing and other exploits.

请跳过您的代码。它将为您节省很多麻烦。

Please just escape your code. It will save you a lot of trouble in the future.

这篇关于我真的需要编码'&'作为'& amp;'？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！