最佳实践。我在数据库中保存html标签还是存储html实体值? [英] Best practice. Do I save html tags in DB or store the html entity value?
问题描述
在插入数据库时,我应该将html标签编码到相应的实体,然后当我从表中获取数据时,没有为XSS目的编码但是我仍然需要使用eval来为html标签格式化文本。
或
我将html标签保存到数据库中,然后当我从数据库将html标签编码到其实体,但是随着标签将向用户显示,我必须使用eval函数来实际格式化数据的格式。
我的想法是第一个选项,我只是想知道你们在想什么。
都不是。您按原样存储HTML,因此当您将其准备好渲染时。你不会来回转换。你所放置的应该是你所显示的。您想要做的是将输入过滤到DB中。 tinyMCE和ck / fckEditor都具有限制可以在编辑器中使用的标签的功能,它将为您剥离这些标签。那么你需要执行任何其他必要的验证或格式化。
I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table.
Should I encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but I'd still have to use eval for the html tags to format the text.
OR
Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, I'd have to use the eval function to actually format the data as it was entered.
My thoughts are with the first option, I just wondered on what you guys thought.
Neither. You store the HTML "as-is" so when you pull it out its ready fro rendering. You chouldnt be converting back and forth. What you put in should be what you display. What you want to do is filter the input before you put it into the DB. both tinyMCE and ck/fckEditor have facilities to limit the tags that can be used in an editor and it will strip those tags for you. Then you jsut need to perform any other necessary validation or formatting.
这篇关于最佳实践。我在数据库中保存html标签还是存储html实体值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
