在填充用户数据之前清理输入?
[英]Sanitize inputs before filling with user data?
问题描述
When binding previous user input data to an HTML input, is it necessary to sanitize the input before filling the input field with it?
将以前的用户输入数据绑定到 HTML 输入时,是否有必要在用它填充输入字段之前清理输入?
I know the importance of sanitizing user inputs before rendering them on the page.我知道在页面上呈现用户输入之前清理它们的重要性。 But, say a user's input is saved to a database, retrieved, then assigned to a variable.但是,假设用户的输入被保存到数据库,检索,然后分配给一个变量。 The variable is then data-bound to an input.然后将该变量数据绑定到输入。 Upon sanitizing the input (both at the time of binding and on every oninput or onchange event), it gives a poor user experience when typing a prohibited character.在oninput输入时(在绑定时以及在每个oninput或onchange事件上),它在输入禁止字符时会给用户带来糟糕的体验。
For example: every time a "&" character is typed by the user it is immediately changed to " & " in the input field.例如:每次用户键入“&”字符时,它都会立即在输入字段中更改为“ & ”。 It'd be annoying if StackOverflow did this though.但是如果 StackOverflow 这样做会很烦人。
2 个解决方案
解决方案1
0 2020-02-29 02:45:43
You're right, that wouldn't be a good solution, but sanitizing before rendering is still a good idea.你说得对,这不是一个好的解决方案,但在渲染之前进行消毒仍然是一个好主意。
Just sanitize the value before storing it in the bound variable, it's fine if the user types scripts in the input field after that.只需在将值存储在绑定变量中之前对其进行清理,如果用户在此之后在输入字段中键入脚本就可以了。 If you use the value of the input sanitize it again before that.如果您使用输入的值,请在此之前再次对其进行消毒。
解决方案2
0 2020-02-29 02:46:13
html-encode the value taken from the input control. html 编码从输入控件中获取的值。 html-decode previously html-encoded value before placing it into the input control. html-decode 之前 html 编码的值,然后再将它放入输入控件中。
It helps to know the encode state of the value before handling it.它有助于在处理之前了解值的编码状态。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.