Let sEncodedHref represent an开发者_运维问答 HttpUtility.HtmlAttributeEncode(..)'d string.
Are there any functional differences between generated html like this:
String.Format(@"<span class='blue' src='{0}'>", sEncodedHref);
vs. generated html like this:
String.Format(@"<span class=""blue"" src=""{0}"">", sEncodedHref);
I've been under the impression that the single-quoted variant is both less supported and less "safe", however I have trouble providing reasons to support that argument.
There is no functional difference. Quoting the W3C on SGML and HMTL:
By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa.
...
In certain cases, authors may specify the value of an attribute without any quotation marks. The attribute value may only contain letters (a-z and A-Z), digits (0-9), hyphens (ASCII decimal 45), periods (ASCII decimal 46), underscores (ASCII decimal 95), and colons (ASCII decimal 58). We recommend using quotation marks even when it is possible to eliminate them.
Absolutely no functional difference. Both are valid, although double quotes are more widely used and are preferred.
From a functional perspective there are no differences. From a security perspective there are. It is easier for a hacker to do XSS when you use single quotes (when the text within those quotes comes from an untrusted source, of course). However, I wouldn't bet on only double quotes. You'd better use proper encoding on that attribute value.
Update:
Here is an example with ASP.NET:
<input type='button'
value='<% = HttpUtility.HtmlEncode(Request["button"]) %>' />
Because of the use of single quotes, this code snippet is easier to exploit for a hacker. Here is an example. When you put the following text in the button argument of the query string, you will have a successful* XSS exploit:
click' onclick='alert("xss")
as in:
mypage.aspx?button?click'%20onclick='alert("xss")
This attack wouldn't have been successful when we would have written the snippet with double quotes as follows:
<input type='button'
value="<% = HttpUtility.HtmlEncode(Request["button"]) %>" />
I hope this clears things up a bit.
*Of course, the newest browsers will detect this type of attack (which is called reflected XSS), but won't detect this, when this string didn't come directly from the browser (which is called persistent XSS).
As far as html is concerned there is no difference. They are both supported. It's when you get into dynamically outputting it via other means that you just need to take care to escape properly etc.. but that's as far as whatever scripting language you are using is concerned, not your browser.
Using single Quote for string variables sometimes will give a "too many charactors in charactor literal" error. For example define a class in Entity Framework:
public class DevEnt()
{
public string IMEI {get; set;}
public Datetime {get; set;}
}
Then when initializing the IMEI field of an instance from this class,
dev=new DevEnt(){
Dev_IMEI="111111",
Date=new DateTime(2015,12,1)
}
using single Quote like Dev_IMEI='111111' will give an error.
The standard (XHTML) is double quotes, but browsers still support the non-standard HTML pages out there so they can still understand the single quotes.
You don't have to escape the double quotes.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论