文本字段中允许的字符标准是什么
新用户注册的文本字段中允许使用哪些典型字符? 有www标准吗? 对允许的用户名和密码字符类型特别感兴趣。
What are the typical characters allowed in text fields in a new user sign-up? Are there www standards? Especially interested in Username and Password character types allowed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(10)
不限制密码字符。 可用字符越多,密码就越安全。 没有充分的理由禁止在密码中使用空格。
对于用户名,这取决于它们的显示位置。 如果您打算为用户提供自己的个人资料 URL,那么您可能会希望对字符进行更多限制。
只是当您再次输出用户输入时,不要忘记转义它们。
Don't restrict password characters. The more characters available, the more secure passwords can be. There's no good reason to forbid spaces, for example, in a password.
For usernames, it depends on where they will be displayed. If you plan to give users there own profile URL, you would want to limit characters much more than if not.
Just don't forget to escape user inputs when you output them again.
我更喜欢能够使用字母、数字和特殊字符来创建密码。 我真的很讨厌网站拒绝我使用特殊字符,尤其是!@$*。
I prefer to be able to use alphabetic, numeric, and special characters to create my passwords. I really hate it when sites deny me the use of special characters, particularly !@$*.
你有什么理由拒绝任何角色? 您应该允许一切,但空字符可能除外。 当您在站点上打印用户名时,您必须对用户名进行编码,以避免跨站点脚本问题,但即使您只是为了安全起见而过滤“危险”字符,您也可能应该这样做。 允许使用所有字符,尤其是密码,可以大大提高可用性(以及密码的安全性)。 另外,请记住,如果某些用户的名称中包含重音符号(或者使用非拉丁字母,如中文或俄语),他们可能希望输入 UTF8 字符。
What reason would you have to ever deny any characters? You should just allow everything, with the possible exception of the null character. You will have to encode usernames when you print them on your site to avoid cross-site scripting problems, but you probably should do that anyways even if you're filtering the "dangerous" characters just to be safe. Allowing all characters, especially for passwords, greatly increases usability (and security, in the case of passwords). Also, keep in mind that some users may want to input UTF8 characters if they have accents in their names (or if they're using a non-latin alphabet like Chinese or Russian).
如果您确实限制字符,那么不应该是出于安全考虑(例如,防止使用引号,这样人们就无法插入 SQL)。 您的代码应该能够处理输入字符串中的任何字符,只要它们被发送到某个地方,就可以正确地对其进行转义。 但出于商业原因或某些其他实际原因(例如 Zach 的 URL 示例)限制它们是可以的。
If you do restrict characters, it shouldn't be for security (e.g. preventing quotes so people can't insert SQL). Your code should be able to handle any characters in an input string, by properly escaping them whenever they're sent somewhere. But it's fine to restrict them for business reasons, or for certain other practical reasons (e.g. Zach's example of a URL).
请允许所有 O'Briens、O'Malleys、O'Reillys 和其他带撇号的名字使用撇号!
PLEASE allow apostrophes for all of the O'Briens, O'Malleys, O'Reillys and other apostrophed names!
非英语用户会使用您的应用程序吗?
至少允许使用欧洲字符,如 á à é è ì。
当然,如果它必须真正国际化,那么您必须允许中文和阿拉伯语等语言中的任何字符。
在我看来,如果你不想让任何人生气,你就不能真正列出允许的字符列表。
如果您想出于安全目的执行此操作,我建议您在尝试使用字符串之前转义必要的字符,而不是预先进行过滤。
Will your application be used by any non-english users?
At the very least allow European characters like á à é è ì.
Of course if it has to be truly internationalized then you have to allow any characters in languages like Chinese and Arabic.
Looks to me like you can't really make a list of allowed characters if you don't want to make anyone mad.
If you want to do this for security purposes, I would recommend escaping the necessary characters before trying to use the string instead of filtering up front.
也补充一下其他人所说的:
密码:任何内容,但一定要散列它们(当然)
用户名:所有内容,除了可能是一个空格...或多个空格(即,单个空格可以,多个空格 = 1 个空格)
too add to what others have said:
password: anything and everything, but do hash them (of course)
username: everything, except, possibly a space... or multiple spaces (ie., single space is ok, more than one space = 1 space)
密码至少应该允许目标语言环境中键盘上可用的每个字符。
Passwords should, as an absolute minimum, allow every character available from the keyboard in your target locale(s).
不要限制任何内容,如果您想为用户提供自己的 URL,请使用数字 ID 或要求用户为 URL 命名。 切勿显示用户的用户名,显示其显示名称(应限制为除危险的 Unicode 字符之外的任何内容)并在注册后要求显示。
Don't restrict anything and if you want to give users their own URLs either use a numerical ID or ask the user to make make the name for the URL. Never display the user's user name, display their display name (which should be limited to anything except dangerous Unicode characters) and asked for after sign up.