HTML / Javascript:我应该编码,转义或清除用户生成的alt属性字符串( <img/> 标签)?
[英]HTML / Javascript: Should I encode, escape, or sanitize user-generated strings for alt attributes (<img/> tags)?
问题描述
There seems to be many accepted answers regarding if one needs to encode user-generated HTML attributes (the alt attribute of an image for instance), 'escape' them, or 'sanitize' them. 
关于是否需要对用户生成的HTML属性(例如图像的alt属性)进行编码,“转义”或“清理”它们,似乎有许多公认的答案。
I am wondering: If I am rendering user-generated alt attributes for img elements, how should I encode them (if at all), should I both encode and sanitize? 我想知道:如果要为img元素呈现用户生成的alt属性,应该如何对它们进行编码(如果有的话),是否应该对它们进行编码和清理? Should I both sanitize and escape? 我应该消毒还是逃脱?
If I know any character has the possibility of showing up how should I process this user-generated string before setting it as an alt attribute? 如果我知道任何字符都有可能显示出该用户生成的字符串,然后再将其设置为alt属性,该如何处理?
2 个解决方案
解决方案1
0 2018-11-26 18:45:31
I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag
Assuming you mean that you have something along the lines of: 假设您的意思是:
<img alt={this.props.alt} />
… then no, you don't need to do anything. …那么不,你不需要做任何事情。 React works on the DOM. React在DOM上工作。 You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability. 您不会生成HTML源代码,因此数据中的特殊字符不能用于通过XSS漏洞注入JavaScript。
解决方案2
-1 2018-11-26 18:38:26
Sanitizing is required so there are no issues with displaying the string. 需要进行清理,因此显示字符串没有问题。 If you are storing the alt attribute in a database then yyou should definitely escape the string. 如果您将alt属性存储在数据库中,那么您绝对应该对字符串进行转义。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.