是不是一个坏主意，在插入到数据库而不是输出之前转义HTML？ [英] Is it a bad idea to escape HTML before inserting into a database instead of upon output?

问题描述

我一直在使用不允许HTML格式化的系统。我目前使用的方法是在HTML实体插入数据库之前对其进行转义。我已经被告知我应该将原始文本插入数据库，并在输出上转义HTML实体。

I've been working on a system which doesn't allow HTML formatting. The method I currently use is to escape HTML entities before they get inserted into the database. I've been told that I should insert the raw text into the database, and escape HTML entities on output.

其他类似的问题，我看过看起来像case

Other similar questions here I've seen look like for cases where HTML can still be used for formatting, so I'm asking for a case where HTML wouldn't be used at all.

推荐答案

如果你在你的数据库中存储了转义的html，你首先必须'unescape '存储在db中的值，只是将它再次转换成不同的格式。

if you have stored escaped html in your db, you would first have to 'unescape' the value stored in the db, just to re-escape it again into a different format.

也看到了这个完美的关于xss预防的owasp文章

这篇关于是不是一个坏主意，在插入到数据库而不是输出之前转义HTML？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！