我应该保存在db - 用户输入为html编码吗? [英] Should I save in db - user input as html encode?
问题描述
我们与同事有冲突,是否应该 htmlencode
用户输入,然后将其保存到 db
(我们还会发现各种答案
/ a>说, DB
应该保存plain(!)输入。
为什么?因为DB应该知道& lt; lt / / $中的
输出时,只能 输入html编码。
,但是:
说完了,我看到Stackoverflow没有遵循这条规则。
$ b $当我在SO中保存一个问题时,其中包含简单的
,它显示(显然)& lt; lt / code>在预览窗格中。但是当我提交问题时:它将内容提交为json with html encode !
Json.stringify没有做html编码
所以如果输入输入:
并提交:
我看到(通过fiddler)它实际上发送了html编码值:
问题:
$ b $如你所见 - 我有点困惑。常见的逻辑表示db应该保存任何用户类型1:1。
合成应该在输出
解决方案您必须对发送到服务器的输入进行编码,否则服务器上的反跨站脚本保护将阻止整个请求。但是,您在保存到数据库之前对此输入进行解码。
另外,你在POST中看到的不一定是保存到数据库中。
We're having conflict with coworkers on whether we should htmlencode
user input and then save it to db
( vs saving it straight forward as it is)
I also find various answers which says that DB
should save the plain(!) input.
Why ? because DB should know that the user length is 1 in <
and not 4 in <
The html encoding should only be made when outputting.
but:
Having said that , I see that Stackoverflow is not following this rule.
When I save a question here at SO , which contains plain <
it does show (obviously) the <
in the preview pane. BUT when I submit the question : it submit the content as json with html encode !
Json.stringify is not doing html encode
So If I type in the input :
And submits :
I see (via fiddler) that it sends actually the html encode value :
Question :
As you see - i'm a bit confused. the common logic says that db should save whatever the user type 1:1.
The syntizations should be made at the output
解决方案 You must encode input sent to the server, because otherwise the anti Cross Site Scripting protection on the server will block the entire request. However, you decode this input before saving to the DB.
In other, what you see in the POST isn't necessarily what is saved to the database.
这篇关于我应该保存在db - 用户输入为html编码吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!