开发者

But really I need htmlentities on a textarea?

I'd like to know if its really necessary escape my string with htmlentities($str, ENT_QUOTES, "UTF-8")开发者_StackOverflow社区 before print on an html textarea.

Or automatically this one escape for me the characters?


Yes, it is necessary.

Otherwise, a </textarea> in the input data would mess up your markup.

<textarea> <--------------------------- Your tag

  </textarea> <------------------------ User input      
  <script>alert("Hello!");</script> <-- User input, XSS injection

</textarea> <-------------------------- Your tag


The textarea element is defined as containing PCDATA, so tags are not allowed inside it and entities are still decoded.

Browsers will perform error correction, but error correction is a poor substitute for not having errors in the first place.

Some errors will not be corrected (because they aren't syntax errors), such as when you want the data to be &lt; or </textarea>.

Even if you decide that some errors are acceptable to you, then when you use a validator to perform basic QA, you will be generating noise that might obscure errors you care about.

So in short, yes, it is necessary to escape characters with special meaning. However, so long as you get your character encoding straight, htmlspecialchars is sufficient.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜