htmlspecialchars-必须有更好的方法
[英]htmlspecialchars - there must be a better way
问题描述
My understanding is that all variables should be output through htmlspecialchars() in a view. 
我的理解是,所有变量都应该在视图中通过htmlspecialchars()输出。
Are there any approaches or methods to do this, without having to specify the function on each appropriate line in each view? 是否有任何方法或方法可以执行此操作,而不必在每个视图的每个适当的行上指定功能?
The best that I could come up with is to have a helper function as follows: function html_escape($var) 我能想到的最好的方法是拥有一个如下的辅助函数:function html_escape($ var)
function h($var)
{
if (is_array($var))
{
return array_map('h', $var);
}
else
{
return htmlspecialchars($var, ENT_QUOTES, 'UTF8');
}
}
But still...this could get very tedious! 但仍然...这可能会变得非常乏味!
Any ideas? 有任何想法吗?
3 个解决方案
解决方案1
2 已采纳 2011-10-18 22:14:07
You may have the function h() output the escaped data, rather than return it. 您可能让函数h()输出转义的数据,而不是返回它。 Therefore, instead of writing <?php echo h($myvar); ?> 因此,而不是编写<?php echo h($myvar); ?> <?php echo h($myvar); ?> you may write <?php h($myvar); ?> <?php echo h($myvar); ?>您可以写<?php h($myvar); ?> <?php h($myvar); ?> . <?php h($myvar); ?> 。 This is now two characters shorter than echoing the variable without converting to entities. 与不转换为实体的变量呼应相比,这现在短了两个字符。
解决方案2
1 2011-10-18 22:11:05
It's an important distinction to note that not all variables must be run through htmlentities/htmlspecialchars, just ones that contain user-supplied content in anyway, that are not already filtered against a rule-set to prevent arbitrary code inclusion. 需要注意的一个重要区别是,并非所有变量都必须通过htmlentities / htmlspecialchars运行,而无论是那些包含用户提供的内容的变量 ,都尚未针对规则集进行过滤以防止任意代码包含在内。
You could create a helper function to cut down on the typing slightly, or loop all user-supplied input through htmlentities/htmlspecialchars in your controllers before handing them off to the view (though, this will likely be less efficient since it is unlikely every piece of user-supplied input will be displayed) 您可以创建一个辅助函数来略微减少打字,或者在将其交给视图之前,通过控制器中的htmlentities / htmlspecialchars循环所有用户提供的输入(尽管这样做可能会效率较低,因为不太可能每件将显示用户提供的输入
解决方案3
0 2011-10-18 22:15:25
What you have there is probably the closest you come to an easy escape in allot of situations. 您所拥有的可能是您在情况分配中最容易逃脱的东西。
Personally i use a little loop on my variables, if i know i'm going to be using any $_GET variables in my html output, i run this: 我个人对变量使用一个小循环,如果我知道我将在HTML输出中使用任何$_GET变量,则运行以下命令:
<?php
foreach($_GET as $key => $value) {
$_GET[$key] = htmlspecialchars($value);
}
?>
Then start my html tags right after. 然后立即启动我的html标签。
Not everything needs to be escaped though, unless the user have any influence on it. 但是,并非所有内容都需要转义,除非用户对此有任何影响。
In addition, you could have a script called escape.php , which uses the above method on common variables you use, like $_GET, $_POST, $_COOKIE and so on, then include('escape.php') it in your scripts before use in the html output. 另外,您可能有一个名为escape.php的脚本,该脚本对您使用的常用变量(例如$ _GET,$ include('escape.php') ,$ escape.php等)使用上述方法,然后在脚本中include('escape.php')在html输出中使用之前。
All over it pretty much depends on your taste and what you need for your project. 整个过程很大程度上取决于您的品味以及您的项目需求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.