清理预先填写的用户提供的表单输入
我有一个接受文本输入的表单。我希望它能够接受诸如 & 之类的字符。和 ;和>和 <,它们对于用户提供的数据来说是有用的字符。例如,我希望用户能够说
与号 (&) 被编码为 & (我从预览中看到我什至不能在这里这样做 - 它应该看起来像 与号 (&) 编码为 & 但我必须输入 amp;amp;在 & 符号之后,使其看起来正确。) (顺便说一句,预览很酷,但我不能指望用户启用了脚本)
我解析数据,如果有问题,我会将用户的条目以相同的形式呈现给用户,并预先填充在同一字段中,进行编辑和重新提交。
如果我提供原始数据,我就会面临浏览器执行恶意输入(例如脚本或 HTML)的风险。但是,如果我过滤它(例如通过 htmlspecialcharacters),那么用户将看到他输入的字符(例如&符号)(表示),但是当他重新提交时,他实际上将提交替换(在本例中看起来像 &),事实证明它甚至包含一个 & 符号。如果输入仍然存在问题,则会再次呈现进行编辑,我们将进行更深入的替换。
仅当用户实际提交的内容与数据的净化版本相同时,才会接受用户数据。它的目标是服务器上的文本文件,以及发送到网站背后的组织的电子邮件。
我想“可以回答的问题”是“这可能吗?”
Jose
编辑:
<?php
$var=$_GET["test2"];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
<title>Input Escape Test</title>
</head><body>
The php parser would store the following input:<br>
<?php echo $var ?>
<br>
<form method="get" action="test.php"><p>
<label for "test2">Test - question five: <br>type in a character on the first line<br>and its HTML entity on the second line.
<textarea name="test2" cols="50" rows="3"><?php echo $var; ?></textarea><br/>
<input type="submit"/>
</p></form>
</body></html>
结果是用户尝试回答问题的表单 与号 & 符号 amp 分号。 如果被拒绝(例如,由于其他非法字符),则会向用户显示他的输入,减去被剥离的字符。然而, amp 分号 也从视图中删除(尽管它在源代码中)。 然后,用户将尝试在显示的结果中添加另一个 amp 分号。
用户看到的唯一途径 & 符号 amp 分号 显示(在拒绝输入时),是输入 & amp 分号 amp 分号
终于满意了,用户再次点击提交,amp 分号似乎又消失了。用户不知道他的(提交的)答案将被存储为什么。
我希望用户能够输入: & 符号 amp 分号 并且,在拒绝后,请参阅 & 符号 amp 分号 并在接受后,存储 & 符号与分号
Jose
I have a form which accepts text input. I would like it to be able to accept characters such as & and ; and > and <, which are useful characters for the data being supplied by the user. I want the user to, for example, be able to say
The ampersand (&) is encoded as &
(and I see from the preview that I can't even do that here - it should look like
The ampersand (&) is encoded as &
but I had to type in amp;amp; after the ampersand to get that to look right.)
(btw, the preview is cool, but I can't count on users having scripts enabled)
I parse the data, and if there is a problem with it, I present the user's entry back to the user, in the same form, prefilled in the same field, for editing and resubmission.
If I present the raw data, I run the risk of having hostile input (such as scripts or HTML) executed by the browser. However, if I filter it (such as via htmlspecialcharacters), then the user would see (a representation of) the character he had typed (say, the ampersand), but when he re-submits, he will =actually= be submitting the replacement (in this case what looks like &), which as it turns out even contains an ampersand. If there is still a problem with the input, it will be presented again for editing, and we'll be another level deep in replacements.
User data is accepted only when what the user actually submits is identical to the sanitized version of the data. It is destined for a text file on the server, and an Email sent to the organization behind the website.
I suppose the "question that can be answered" is "is this even possible?"
Jose
edit:
<?php
$var=$_GET["test2"];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
<title>Input Escape Test</title>
</head><body>
The php parser would store the following input:<br>
<?php echo $var ?>
<br>
<form method="get" action="test.php"><p>
<label for "test2">Test - question five: <br>type in a character on the first line<br>and its HTML entity on the second line.
<textarea name="test2" cols="50" rows="3"><?php echo $var; ?></textarea><br/>
<input type="submit"/>
</p></form>
</body></html>
results in a form where the user attempts to answer the question with
ampersand
ampersand a m p semicolon.
IF that gets rejected (say, because of other illegal characters), the user is presented with his input back, minus the stripped characters. However, the
a m p semicolon
is also stripped from view (though it's in the source).
The user will then attempt to add another a m p semicolon to the displayed result.
The only way the user gets to see
ampersand a m p semicolon
displayed (upon rejected input), is to type in
ampersand a m p semicolon a m p semicolon
Finally satisfied, the user clicks submit again, and the a m p semicolon seemingly disappears again. The user doesn't know what his (submitted) answer will be stored as.
I want the user to be able to type in:
ampersand a m p semicolon
and, upon rejection, see
ampersand a m p semicolon
and upon acceptance, store
ampersand a m p semicolon
Jose
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
是的,这在 Javascript 和服务器端代码中都是可能的。正如您所说,您不会计算启用了 javascript 的用户,我假设您想在服务器端进行这种转换?您只需让用户通过 POST 请求将表单数据发送到您的服务器端代码,然后当您将数据写回到然后,这将完全按照用户输入的内容显示在浏览器中。
编辑:抱歉,我没有仔细阅读您的问题。
您应该能够仅使用一级转义,即编写 &对于“&”而不是 &。当浏览器解析您的页面时,这一级别将被剥离,并且当它作为表单数据发回时,将从数据中消失。查看生成的 html 代码并尝试找出是什么让您需要第二级转义。
Edit2 回应评论:这是一个简单的测试页面,可以在 IE 8.0 和 Firefox 中按预期工作。当您按下发送按钮时,您将在浏览器的地址栏中看到发送到服务器的内容(%26 只是 & 的 URL 编码)。正如您所看到的 &从值以及发送到服务器的数据中删除。
Yes this is possible in Javascript as well as in server side code. As you said you won't count users having javascript enabled, I assume you want to do this kind of conversion on the server side? You just let the user send the form data via a POST request to your server side code and there you tranform every occurance of <, >, &, " and ' into their respective entity form when you write the data back to the html response page. This will then show up in the browser exactly as it was entered by the user.
Edit: Sorry, I didn't read your question carefully enough.
You should be able to use just one level of escaping, i.e. to write & for a '&' and not &. This one level will be stripped when the browser parses your page and will be disappeared from the data when it get's sent back as form data. Have a look at the generated html code and try to find out what makes you need that second level of escapes.
Edit2 in response to the comments: Here is a simple test page that works as expected in IE 8.0 and Firefox. When you press the send button you will see what is getting sent to the server in the address bar of your browser (the %26 is just the URL-encoding for the &). As you can see the & gets stripped from the value and also from the data that is sent to server.
当将数据从 PHP 推送到浏览器、数据库或任何地方时,您必须将其表示更改为接收端可接受的表示形式。
在将内容发送到浏览器的情况下,您需要 htmlentities 转换器:
C.
When pushing data out of PHP, to the browser, to a database, anywhere, you MUST change it representation to one acceptable to the receiving end.
In the case of sending stuff to the browser, you need the htmlentities converter:
C.