带有 ENT_QUOTES 和 UTF-8 的 htmlentities 有什么作用?
[英]What does htmlentities with ENT_QUOTES and UTF-8 do?
问题描述
I have always used simple htmlentities($_POST['string']);
我一直使用简单的htmlentities($_POST['string']); to clean data for any XSS attacks.清除任何 XSS 攻击的数据。 Recently I have seen people use this:最近我看到人们使用这个:
htmlentities($_POST['string'], ENT_QUOTES, 'UTF-8');
What is the advantage or purpose of using that over just htmlentities() .仅使用htmlentities()的优点或目的是什么。
Also don't know if it is relevant but I use meta UTF-8 always at the top of my pages.也不知道它是否相关,但我总是在我的页面顶部使用元 UTF-8。
2 个解决方案
解决方案1
10 已采纳 2013-06-01 07:26:22
ENT_QUOTES is needed if the data is being substituted into an HTML attribute, eg如果数据被替换为 HTML 属性,则需要ENT_QUOTES ,例如
echo '<input type="text" value="' . htmlentities($string, ENT_QUOTES) . '">";
This ensures that quotes are encoded, so they won't terminate the value="..." attribute prematurely.这可确保对引号进行编码,因此它们不会过早终止value="..."属性。
UTF-8 is necessary if your page uses UTF-8 charset, because the default is to use ISO-8859-1 encoding.如果您的页面使用 UTF-8 字符集,则UTF-8是必需的,因为默认是使用 ISO-8859-1 编码。 These encodings need to match or the user will see strange characters.这些编码需要匹配,否则用户会看到奇怪的字符。
解决方案2
0 2019-12-15 00:23:54
The reason why people state the character encoding, and the entity quotes, is that人们说明字符编码和实体引号的原因是
the encapsulation characters ' and " are encoded (ENT_QUOTES)
and 'UTF-8' encoding flag expressed as:
htmlentities($_POST['string'], ENT_QUOTES, $encoding="UTF-8");
or
htmlentities($_POST['string'], ENT_QUOTES, "UTF-8");
in the whole statement.在整个声明中。
The main reason to express the character encoding in the filter is to maintain the frame reference of the input data.在过滤器中表达字符编码的主要原因是为了维护输入数据的帧引用。 If the transmission encoding changed due to either a transmission interference, or malicious transmission packet alterations, the filter fills the missing data with zeros.如果传输编码由于传输干扰或恶意传输数据包更改而发生变化,则过滤器将用零填充丢失的数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.