style= 属性中的注释 - 安全吗?
我正在开发一个 CMS,它可以根据用户输入生成 CSS“style='xyz'” 语句。 用户输入将被验证,但作为额外的保护措施,我想检查 CSS 代码生成时值的有效性。
如果遇到无效值 - 例如相对宽度(“50%”),由于布局限制,仅允许绝对值 - 我想在样式属性内返回注释以帮助调试:
<div class="content" style="background-color: lightblue; /* WIDTH was invalid: Only absolute values allowed here */; border: 1px orange dotted;">
这是否“安全”,即所有主流浏览器仍然会正确解析注释前后的设置吗?谷歌很难找到这方面的信息。
I am working on a CMS that generates CSS "style='xyz'" statements from user input.
The user input will be validated but as an additional safeguard, I want to check the validity of the values on generation of the CSS code.
If an invalid value is encountered - e.g. a relative width ("50%") where only absolute values are allowed due to layout restrictions - I would like to return a comment INSIDE the style attribute to help debugging:
<div class="content" style="background-color: lightblue; /* WIDTH was invalid: Only absolute values allowed here */; border: 1px orange dotted;">
Is this "safe", i.e. will all major browsers still parse the settings before and after the comment properly? It is difficult to Google information about this.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
它可能是安全的,但我不会将错误的值注释到标记中。
在生成标记之前,让用户知道他们一开始就做错了。
一个好主意是创建这样一个测试用例并将其提供给 W3C 验证器,看看它会说些什么。
http://validator.w3.org/
It is probably safe but I wouldn't put the wrong values commented into the markup.
Let the user know they did something wrong in the very beginning before you generate markup.
A good idea would be to create such a test case and feed it to the W3C validator to see what it would say says about it.
http://validator.w3.org/
从我的想法来看,IE 支持,Fx 不支持。
From the top of my head, IE supports it, Fx doesn't.