I have a code blog in whi开发者_开发百科ch I have a user input form for submissions. Whatever goes in that form will appear on one of the pages. Now this is a coding blog, so I don't want to strip any HTML tags or javascript code from the input, but I don't want it to executed at any point. What is the best way to render any input harmless? Is replacing < by < and > by > enough?
(for info, the sever will be GAE, the input will be passed around (but never evaluated) in python variables, and stored in a TextProperty)
Yes, replacing < and > should be enough
The best bet would be to simply escape those values on the back-end for safe input into your storage engine and output them using HTML entities so that they are displayed as code.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论