电子邮件主题是否需要html转义? [英] Do email subjects need to be html escaped?
问题描述
我即将发送可能包含不安全用户输入的代码中的html电子邮件。我注意到,如果我将HTML转移到主题,GMail将显示转义的内容(所以如果我的主题是This& That c $ c>这个& amp; amp那个,Gmail显示后者)。雷鸟也一样。假设所有电子邮件客户端都不需要转义主题html,可以安全吗?
不需要编码HTML实体主题行。 HTML体中编码的原因是,如果您使用XHTML,因为它源于XML,将& 作为保留字符。
但是,电子邮件的主题行不是HTML,XML或XHTML。这只是纯文本。因此,您不需要将&符号编码为& amp; amp; amp; amp; 。如果你对它进行编码,因为它不被解析为HTML,它将被显示为编码。
如果你想包括非ASCII字符(例如£),那么您需要将整个信封(包括电子邮件正文)编码为UTF-8。
所以在代码中,以下内容将显示为:
主题行|身体
==================================
& amp; amp | &放大器;放大器; | &安培;
& | &安培; | &安培;
UTF-8£| £| £
ASCII£| n / a | n / a
& | &安培;磅; |注意:Microsoft Office具有UTF-8的奇怪实现,因此不是所有的UTF-8字符将工作。
I am about to send an html email in code that may contain unsafe user input. I have noticed that if I html escape the subject, GMail will then display the escaped content (so if my subject is "This & That", which I sanitize as "This & That", Gmail shows the latter). The same goes for Thunderbird. Is it safe to assume that all email clients do not need the subject html escaped?
解决方案 No need to encode HTML entities in a subject line. The reason for encoding in the HTML body is if you're using XHTML which, because it derives from XML, treats & as a reserved character.
However, the subject line of an email is not in HTML, XML, or XHTML. It's just pure text. Because of this, you don't need to encode an ampersand as &. If you do encode it, because it's not being parsed as HTML, it will be displayed as encoded.
If you want to include non-ASCII characters (e.g. £), then you need to encode the whole 'envelope' (including the email body) as UTF-8.
So, in code, the following will be shown as:
| Subject Line | Body
====================================
& | & | &
& | & | &
UTF-8 £ | £ | £
ASCII £ | n/a | n/a
£ | £ | £
NB: Microsoft Office has a weird implementation of UTF-8, so not all UTF-8 characters will work.
这篇关于电子邮件主题是否需要html转义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
