- Κείμενο
- Ιστορία
I'm sorry, I should have differenti
I'm sorry, I should have differentiated when I said to always use htmlentities.
When dealing with user input, you have to make a difference between 2 kinds of user input: user input where HTML is allowed, and user input where HTML is not allowed. For example, the text we've been writing on this board is the kind where HTML is not allowed (which is the reason why it uses BBCode tags instead), and that's the kind of input you'll find 99% of the time. In fact, pretty much the only place you'll usually find user input where HTML is allowed are WYSIWYG editors in CMS'es.
For user input where HTML is not allowed, it's very simple: always apply htmlentities before echoing any of it. The reason for this is simple: suppose you have a site where you can log in through a cookie. If you had failed to apply htmlentities, a malicious user could enter some javascript code that reads the cookie and sends it to him, thereby effectively enabling him to log in as anyone who has viewed the page where his javascript code is displayed (and executed, because his ... input was simply inserted into the HTML code). This is known as an XSS exploit; they're pretty common these days and people (or bots) will try it on your site.
For user input where HTML is allowed, you have to think about whether you trust your users to enter non-malicious input or not. Since this kind of input is usually found in a CMS which only the site owners can access, you can usually output the HTML as-is, without applying any escaping (which is the expected behavior from a WYSIWYG editor).
The real problem comes when you need to allow potentially malicious users to enter HTML input. This is where you would have to manually strip out any possibly malicious stuff (such as tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.
That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.
As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?
For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the
's would have escaped by htmlentities.
When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.
When dealing with user input, you have to make a difference between 2 kinds of user input: user input where HTML is allowed, and user input where HTML is not allowed. For example, the text we've been writing on this board is the kind where HTML is not allowed (which is the reason why it uses BBCode tags instead), and that's the kind of input you'll find 99% of the time. In fact, pretty much the only place you'll usually find user input where HTML is allowed are WYSIWYG editors in CMS'es.
For user input where HTML is not allowed, it's very simple: always apply htmlentities before echoing any of it. The reason for this is simple: suppose you have a site where you can log in through a cookie. If you had failed to apply htmlentities, a malicious user could enter some javascript code that reads the cookie and sends it to him, thereby effectively enabling him to log in as anyone who has viewed the page where his javascript code is displayed (and executed, because his ... input was simply inserted into the HTML code). This is known as an XSS exploit; they're pretty common these days and people (or bots) will try it on your site.
For user input where HTML is allowed, you have to think about whether you trust your users to enter non-malicious input or not. Since this kind of input is usually found in a CMS which only the site owners can access, you can usually output the HTML as-is, without applying any escaping (which is the expected behavior from a WYSIWYG editor).
The real problem comes when you need to allow potentially malicious users to enter HTML input. This is where you would have to manually strip out any possibly malicious stuff (such as tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.
That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.
As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?
For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the
's would have escaped by htmlentities.
When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.
0/5000
Λυπάμαι, εγώ θα πρέπει έχουν διαφοροποιηθεί όταν είπα να χρησιμοποιείτε πάντα htmlentities.Όταν ασχολούμαστε με την παρέμβαση του χρήστη, θα πρέπει να κάνει τη διαφορά μεταξύ 2 είδη της εισόδου του χρήστη: εισαγωγή από το χρήστη όπου επιτρέπεται το HTML, και τα σχόλια των χρηστών όπου HTML δεν επιτρέπεται. Για παράδειγμα, το κείμενο που έχω γράψει σε αυτό το σύστημα είναι το είδος όπου HTML δεν επιτρέπεται (η οποία είναι ο λόγος γιατί χρησιμοποιεί Ετικέτες BBCode αντί), και αυτό είναι το είδος των εισροών θα βρείτε 99% του χρόνου. Στην πραγματικότητα, λίγο πολύ το μόνο μέρος θα βρείτε συνήθως εισόδου χρήστη όπου επιτρέπεται η HTML είναι WYSIWYG συντάκτες σε CMS'es.Εισαγωγή χρήστη όπου HTML δεν επιτρέπεται, είναι πολύ απλό: ισχύει πάντα htmlentities πριν επαναλαμβάνοντας αυτό. Ο λόγος για αυτό είναι απλός: Ας υποθέσουμε ότι έχετε μια ιστοσελίδα όπου μπορείτε να συνδεθείτε μέσω ενός cookie. Αν σας είχε αποτύχει να εφαρμόσει htmlentities, ένας κακόβουλος χρήστης θα μπορούσε να εισάγετε κάποιο κώδικα javascript που διαβάζει το cookie και στέλνει σ ' αυτόν, με αυτόν τον τρόπο αποτελεσματικά, επιτρέποντάς του να συνδεθείτε ως κάποιος που έχει είδαν την σελίδα όπου εμφανίζεται του κώδικα javascript (και εκτελέστηκε, επειδή του ... εισόδου ήταν απλά εισάγεται τον κωδικό HTML). Αυτό είναι γνωστό ως ένα XSS εκμεταλλεύομαι? είναι αρκετά κοινό αυτές τις μέρες, και άνθρωποι (ή bots) θα δοκιμάσω στο δικτυακό σας τόπο.Εισαγωγή χρήστη όπου επιτρέπεται το HTML, θα πρέπει να σκεφτούμε αν εμπιστεύεστε σας στους χρήστες να εισαγάγουν μη-κακόβουλα εισόδου ή όχι. Δεδομένου ότι αυτό το είδος της εισόδου βρίσκεται συνήθως σε ένα CMS που μόνο οι ιδιοκτήτες του site μπορούν να έχουν πρόσβαση, μπορείτε να πραγματοποιήσετε έξοδο συνήθως την HTML ως-είναι, χωρίς την εφαρμογή τυχόν διαφυγή (η οποία είναι η αναμενόμενη συμπεριφορά από ένα WYSIWYG editor).Το πραγματικό πρόβλημα προέρχεται όταν χρειαστεί να επιτρέψετε δυνητικά κακόβουλους χρήστες να εισάγετε HTML εισροών. Αυτό είναι όπου θα πρέπει να απομακρύνουν με μη αυτόματο τρόπο κάθε ενδεχομένως κακόβουλο πράγματα (όπως tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.
That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.
As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?
For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the
's would have escaped by htmlentities.
When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.
That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.
As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?
For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the
's would have escaped by htmlentities.
When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.
Μεταφράζονται, παρακαλώ περιμένετε..
Λυπάμαι, εγώ έπρεπε να διαφοροποιηθεί όταν είπα να χρησιμοποιείτε πάντα htmlentities. Όταν ασχολούμαστε με την είσοδο του χρήστη, θα πρέπει να κάνει τη διαφορά ανάμεσα σε 2 είδη της εισόδου του χρήστη: είσοδος χρήστη όπου HTML δεν επιτρέπεται, και την είσοδο του χρήστη, όπου HTML δεν είναι επιτρέπονται. Για παράδειγμα, το κείμενο που έχουμε γράψει σε αυτό το σύστημα είναι το είδος όπου δεν επιτρέπεται HTML (που είναι ο λόγος για τον οποίο χρησιμοποιεί ετικέτες BBCode αντί), και αυτό είναι το είδος της εισόδου θα βρείτε το 99% του χρόνου. Στην πραγματικότητα, σχεδόν το μόνο μέρος που θα βρείτε συνήθως εισόδου του χρήστη, όπου HTML δεν επιτρέπεται είναι WYSIWYG συντάκτες σε CMS'es. Για την είσοδο του χρήστη, όπου HTML δεν επιτρέπεται, είναι πολύ απλό: εφαρμόζει πάντα htmlentities πριν επαναλαμβάνοντας τίποτα. Ο λόγος για αυτό είναι απλός: ας υποθέσουμε ότι έχετε μια ιστοσελίδα όπου μπορείτε να συνδεθείτε με ένα cookie. Αν είχε αποτύχει να εφαρμόσει htmlentities, ένας κακόβουλος χρήστης θα μπορούσε να τεθεί κάποιο javascript κώδικα που διαβάζει το cookie και το στέλνει σ 'αυτόν, με τον τρόπο αυτό ουσιαστικά που να του επιτρέπει να συνδεθείτε και όποιος έχει δει τη σελίδα όπου εμφανίζεται κωδικό του Javascript (και εκτελείται, επειδή του είσοδος ήταν απλά εισάγεται στον κώδικα HTML). Αυτό είναι γνωστό ως XSS εκμεταλλεύονται? ότι είναι αρκετά κοινό αυτές τις μέρες και οι άνθρωποι (ή bots) θα προσπαθήσουμε για το site σας. Για την είσοδο του χρήστη, όπου επιτρέπεται HTML, θα πρέπει να σκεφτούμε αν εμπιστεύεστε τους χρήστες σας για να εισέλθετε μη κακόβουλο εισόδου ή όχι. Δεδομένου ότι αυτό το είδος της εισόδου βρίσκεται συνήθως σε ένα CMS το οποίο μόνο οι ιδιοκτήτες της ιστοσελίδας μπορεί να έχει πρόσβαση, μπορείτε συνήθως εξόδου η HTML ως έχει, χωρίς την εφαρμογή οποιασδήποτε διαφυγή (η οποία είναι η αναμενόμενη συμπεριφορά από ένα πρόγραμμα επεξεργασίας WYSIWYG). Το πραγματικό πρόβλημα έρχεται όταν θα πρέπει να επιτρέψει ενδεχομένως σε κακόβουλους χρήστες να εισέλθουν εισόδου HTML. Αυτό είναι όπου θα πρέπει να αφαιρέσει το χέρι οποιαδήποτε πιθανώς κακόβουλα πράγματα (όπως
...
tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.
That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.
As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?
For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the
's would have escaped by htmlentities.
When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.
...
tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.
That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.
As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?
For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the
's would have escaped by htmlentities.
When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.
Μεταφράζονται, παρακαλώ περιμένετε..
Άλλες γλώσσες
η υποστήριξη εργαλείο μετάφρασης: Klingon, Ίγκμπο, Όντια (Ορίγια), Αγγλικά, Αζερμπαϊτζανικά, Αλβανικά, Αμχαρικά, Αναγνώριση γλώσσας, Αραβικά, Αρμενικά, Αφρικάανς, Βασκικά, Βεγγαλική, Βιετναμεζικά, Βιρμανικά, Βοσνιακά, Βουλγαρικά, Γίντις, Γαελικά Σκοτίας, Γαλικιακά, Γαλλικά, Γερμανικά, Γεωργιανά, Γιορούμπα, Γκουτζαρατικά, Δανικά, Εβραϊκά, Ελληνικά, Εσθονικά, Εσπεράντο, Ζουλού, Ζόσα, Ιαπωνικά, Ινδονησιακά, Ιρλανδικά, Ισλανδικά, Ισπανικά, Ιταλικά, Καζακστανικά, Κανάντα, Καταλανικά, Κινέζικα, Κινεζικά (Πα), Κινιαρουάντα, Κιργιζιανά, Κορεατικά, Κορσικανικά, Κουρδικά, Κρεόλ Αϊτής, Κροατικά, Λάο, Λατινικά, Λετονικά, Λευκορωσικά, Λιθουανικά, Λουξεμβουργιανά, Μαλέι, Μαλαγάσι, Μαλαγιάλαμ, Μαλτεζικά, Μαορί, Μαραθικά, Μογγολικά, Νεπαλικά, Νορβηγικά, Ολλανδικά, Ουαλικά, Ουγγρικά, Ουζμπεκικά, Ουιγούρ, Ουκρανικά, Ουρντού, Πάστο, Παντζάμπι, Περσικά, Πολωνικά, Πορτογαλικά, Ρουμανικά, Ρωσικά, Σίντι, Σαμοανικά, Σεμπουάνο, Σερβικά, Σεσότο, Σινχάλα, Σλαβομακεδονικά, Σλοβακικά, Σλοβενικά, Σομαλικά, Σουαχίλι, Σουηδικά, Σούντα, Σόνα, Ταζικιστανικά, Ταμίλ, Ταταρικά, Ταϊλανδεζικά, Τελούγκου, Τζαβανεζικά, Τούρκικα, Τσεχικά, Τσιτσέουα, Φιλιπινεζικά, Φινλανδικά, Φριζιανά, Χάουσα, Χίντι, Χαβαϊκά, Χμερ, Χμονγκ, τουρκμενικά, γλώσσα της μετάφρασης.
- δικιά σου;
- me voy a dormir
- Τα ονοματα τουσ Μιχαλησ και στελα
- and blood leak detector
- tha to deis?
- Ομορφες στιγμες
- Preparation of the extracorporeal system
- Θα το δεις?
- For this reason, the dialysate must meet
- strip_tags is only intended to strip HTM
- Bir büyük olan fazilet cağıral. 32 yaşın
- ελπιζω να σε δουμε απο κοντα και συντομα
- dializzato
- κι εγω λιγο
- Λέγω ὅτι πολλαί καί καλαί ἐλπίδες ἡμῖν ε
- κι εγώ λίγο
- Aυτη δυο παιδια εχει
- κι εγώ
- δυο παιδια εχει
- λίγο
- το ονομα της πρωτης μου αδελφησ ειναι
- θα με αποδεχθείς;
- Αναγέννηση
- Son olarak, benim dığer kardeşi Andrı ça
