[英]htmlspecialchars - there must be a better way
My understanding is that all variables should be output through htmlspecialchars() in a view. 我的理解是,所有变量都应该在视图中通过htmlspecialchars()输出。
Are there any approaches or methods to do this, without having to specify the function on each appropriate line in each view? 是否有任何方法或方法可以执行此操作,而不必在每个视图的每个适当的行上指定功能?
The best that I could come up with is to have a helper function as follows: function html_escape($var) 我能想到的最好的方法是拥有一个如下的辅助函数:function html_escape($ var)
function h($var)
{
if (is_array($var))
{
return array_map('h', $var);
}
else
{
return htmlspecialchars($var, ENT_QUOTES, 'UTF8');
}
}
But still...this could get very tedious! 但仍然...这可能会变得非常乏味!
Any ideas? 有任何想法吗?
You may have the function h()
output the escaped data, rather than return it. 您可能让函数
h()
输出转义的数据,而不是返回它。 Therefore, instead of writing <?php echo h($myvar); ?>
因此,而不是编写
<?php echo h($myvar); ?>
<?php echo h($myvar); ?>
you may write <?php h($myvar); ?>
<?php echo h($myvar); ?>
您可以写<?php h($myvar); ?>
<?php h($myvar); ?>
. <?php h($myvar); ?>
。 This is now two characters shorter than echoing the variable without converting to entities. 与不转换为实体的变量呼应相比,这现在短了两个字符。
It's an important distinction to note that not all variables must be run through htmlentities/htmlspecialchars, just ones that contain user-supplied content in anyway, that are not already filtered against a rule-set to prevent arbitrary code inclusion. 需要注意的一个重要区别是,并非所有变量都必须通过htmlentities / htmlspecialchars运行,而无论是那些包含用户提供的内容的变量 ,都尚未针对规则集进行过滤以防止任意代码包含在内。
You could create a helper function to cut down on the typing slightly, or loop all user-supplied input through htmlentities/htmlspecialchars in your controllers before handing them off to the view (though, this will likely be less efficient since it is unlikely every piece of user-supplied input will be displayed) 您可以创建一个辅助函数来略微减少打字,或者在将其交给视图之前,通过控制器中的htmlentities / htmlspecialchars循环所有用户提供的输入(尽管这样做可能会效率较低,因为不太可能每件将显示用户提供的输入
What you have there is probably the closest you come to an easy escape in allot of situations. 您所拥有的可能是您在情况分配中最容易逃脱的东西。
Personally i use a little loop on my variables, if i know i'm going to be using any $_GET
variables in my html output, i run this: 我个人对变量使用一个小循环,如果我知道我将在HTML输出中使用任何
$_GET
变量,则运行以下命令:
<?php
foreach($_GET as $key => $value) {
$_GET[$key] = htmlspecialchars($value);
}
?>
Then start my html tags right after. 然后立即启动我的html标签。
Not everything needs to be escaped though, unless the user have any influence on it. 但是,并非所有内容都需要转义,除非用户对此有任何影响。
In addition, you could have a script called escape.php
, which uses the above method on common variables you use, like $_GET, $_POST, $_COOKIE and so on, then include('escape.php')
it in your scripts before use in the html output. 另外,您可能有一个名为
escape.php
的脚本,该脚本对您使用的常用变量(例如$ _GET,$ include('escape.php')
,$ escape.php
等)使用上述方法,然后在脚本中include('escape.php')
在html输出中使用之前。
All over it pretty much depends on your taste and what you need for your project. 整个过程很大程度上取决于您的品味以及您的项目需求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.