我正在使用textarea从用户那里获取输入并将其显示在屏幕上。 我怎样才能确保他们输入类似的东西
<h1>YAY, I hacked in</h1>我只是按原样显示它,它不会显示为<h1> 。 必须有一个功能。 帮帮我? :d
I'm using a textarea to get input from the user and display it on the screen. How can I make sure that if they put in something like
<h1>YAY, I hacked in</h1>I only display it as it is, and it doesn't display as an <h1>. There must be a function for this. Help? :D
最满意答案
您需要在服务器端解决此问题。 如果您在表单提交时使用JavaScript进行过滤,则用户可以通过创建自己的页面,使用telnet,禁用JavaScript,使用Chrome / FF / IE控制台等来破坏过滤器。如果您在显示时过滤,则可以什么都没有减轻,你只是在页面上移动了突破点。
例如,在PHP中,如果您希望仅使用用户的格式转储原始字符,则可以使用:
print htmlentities($user_submitted_data, ENT_NOQUOTES, 'utf-8');在.NET中:
someControl.innerHTML = Server.HtmlEncode(userSubmittedData);如果您正在尝试清理内容客户端以进行即时/预览显示,那么这应该足够了:
out.innerHTML = user_data.replace(/</g, "<").replace(/>/g, ">");You need to address this on the server side. If you filter with JavaScript at form submission time, the user can subvert your filter by creating their own page, using telnet, by disabling JavaScript, using the Chrome/FF/IE console, etc. And if you filter at display time, you haven't mitigated anything, you've only moved the breakin-point around on the page.
In PHP, for instance, if you wish to just dump the raw characters out with none of the user's formatting, you can use:
print htmlentities($user_submitted_data, ENT_NOQUOTES, 'utf-8');In .NET:
someControl.innerHTML = Server.HtmlEncode(userSubmittedData);If you're trying to sanitize the content client-side for immediate/preview display, this should be sufficient:
out.innerHTML = user_data.replace(/</g, "<").replace(/>/g, ">");更多推荐
发布评论