What are the characters that are required and suffice when escaping user-generated content before o开发者_运维百科utput? (in other words: what are the characters web developers should escape when outputting text that previously came from an untrusted, anonymous source?)
When echoing to a page, you should encode
- '&' (ampersand) becomes '
&'- '"' (double quote) becomes '
"'- ''' (single quote) becomes '
''- '<' (less than) becomes '
<'- '>' (greater than) becomes '
>'
From PHP's htmlspecialchars() docs.
Note that the context also matters.
You'll also need to take the character set into account.
I think that escaping the < > & " ' symbols should be enough for any scenario.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论