我应该如何将评论存储在数据库中，以便我可以有效地将它们作为 html 文本显示在页面上？

发布于 2024-11-18 09:09:05 字数 653 浏览 1 评论 0原文

我有一个表单，可以在文本区域中输入多行文本。有些行也可以有 html 标记。假设一行是粗体。

我应该如何将文本保存在数据库中？我应该像这样存储它们吗？

This is a greap post
<br/>
I love this type of findings.
<br/>
<br/>
Thanks for sharing

或者像这样？

This is a greap post
&lt;br/&gt;
I love this type of findings.
&lt;br/&gt;
&lt;br/&gt;
Thanks for sharing

编辑期间：我必须显示输入的文本。所以换行符将被新行替换这样使用就会看到有换行符。 Textarea 在显示期间不会理解 br 标记

：我必须渲染文本，以便它在页面上显示如下：

This is a greap post

I love this type of findings.


Thanks for sharing

我想知道存储可以在其中包含标记的文本的最干净的方法。

感谢您的帮助

原文

I have a form where use enters multiple line of texts in a text area.
Some of the lines can have html markups as well. Say one line is bold.

How should I save the text in my database?
Should I store them as like this?

This is a greap post
<br/>
I love this type of findings.
<br/>
<br/>
Thanks for sharing

OR like this?

This is a greap post
<br/>
I love this type of findings.
<br/>
<br/>
Thanks for sharing

During editing:
I must show the text as they were entered. So line break will be replaced by new line
That way use sees there is a line break. Textarea won't unserstand br markup

During displaying:
I must render the text so that it appears like this on the page:

This is a greap post

I love this type of findings.


Thanks for sharing

I want to know the cleanest way to store text that can have markup in them.

Thanks for help

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

黑白记忆 2024-11-25 09:09:05

由于您想要输出 HTML，因此您必须将输入以其原始格式存储在数据库中。但只有一个问题。你永远不应该信任输入，因为所有输入都是邪恶的，特别是在这种情况下，因为在输入时直接输出 HTML，打开了跨站点脚本编写的可能性（XSS）攻击。

您基本上有两个选择：

使用 HTML 清理程序，让您删除所有未知的安全标签。一款好的消毒剂是 Microsoft AntiXss 工具包附带的消毒剂.
对已知安全的结果的输入和解码部分进行编码，例如：

string[] safeList = { "<br/>", "<b>", "</b>", "<i>", "</i>" };

public static string EncodeInputWithSafeList(string unsafeInput)
{
    // First: encode the complete input.
    string safeInput = Encoder.HtmlEncode(unsafeInput);

    // Next: decode each tag that is known to be safe.
    foreach (string safeTag in safeList)
    {
        string encodedTag = Encoder.HtmlEncode(safeTag, false);
        safeInput = safeInput.Replace(encodedTag, safeTag);
    }

    return safeInput;
}

注意：该示例使用Microsoft AntiXss 工具包Encoder 类一个>。

现在的问题是，我们应该在什么时候清理它。通常，您应该在将输出发送到客户端之前对其进行编码，而不是将其编码存储在数据库中，因为这取决于输出类型（HTML、PDF、JSON）数据的编码方式。如果编码器中存在错误，则无法修复它，因为数据已经被编码，这一事实放大了这一点。

在这种情况下，情况有点棘手，因为输入是 HTML 而不仅仅是文本。我想说，清理是您仍然想要事先做的事情，因为这样可以防止错误的输入进入数据库。 EncodeInputWithSafeList 方法有点棘手，因为它既是消毒剂又是编码器。当我们在它进入数据库之前运行它时，它可以防止我们更改安全列表时输出发生更改。这既可能是一件好事，也可能是一件坏事，但我想说，当您将新标签添加到安全列表时，您不希望旧数据突然发生变化。所以在这种情况下，我会使用输入编码，而不是输出编码。

当您使用输入编码时，请以明确我们正在处理经过净化的编码数据的方式命名数据库列。

Since you want to output HTML, you will have to store the input in it's raw format in the database. There is only one catch though. You never should trust input, since all input is evil, especially in this case, since outputting HTML directly as it is inputted, opens the possibility of an cross-site scripting (XSS) attack.

You have basically got two options:

Use a HTML sanitizer that let's you remove all tags that are not known to be safe. A good sanitizer is the one that comes with the Microsoft AntiXss toolkit.
Encode the input and decode parts of the result that are known to be safe, for instance:

string[] safeList = { "<br/>", "<b>", "</b>", "<i>", "</i>" };

public static string EncodeInputWithSafeList(string unsafeInput)
{
    // First: encode the complete input.
    string safeInput = Encoder.HtmlEncode(unsafeInput);

    // Next: decode each tag that is known to be safe.
    foreach (string safeTag in safeList)
    {
        string encodedTag = Encoder.HtmlEncode(safeTag, false);
        safeInput = safeInput.Replace(encodedTag, safeTag);
    }

    return safeInput;
}

Note: The example uses the Encoder class from the Microsoft AntiXss toolkit.

Now the question becomes, at what point should we clean it up. Normally you should encode the output just before you send it to the client and not store it encoded in the database, since it depends on the output type (HTML, PDF, JSON) how data should be encoded. This is amplified by the fact that in case there is a bug in the encoder, there is no way to fix it, since the data is already encoded.

In this case it is a bit more tricky though, since the input is HTML and not just text. I would say that sanitizing is something you still would want to do before hand, because this way you prevent bad input from entering your database. The EncodeInputWithSafeList method is a bit tricky, because it is both a sanitizer and an encoder. When we run it before it goes into the database, it prevents the output from changing when we change the safe list. This can be both a good thing and a bad thing, but I would say that when you add new tags to the safe list, you wouldn't want old data to suddenly change. So in this case I would go with input encoding, instead of output encoding.

When you go with input encoding, name the database column in such way that it is clear that we're dealing with sanitized, encoded data.

回复收藏 0 原文

千鲤 2024-11-25 09:09:05

在保存数据之前尝试 htmlentities($str, ENT_QUOTES); ，并在从数据库获取数据之后将其呈现给浏览器之前尝试 html_entity_decode($str) 。

回复收藏 0 原文

时光与爱终年不遇 2024-11-25 09:09:05

像这样将其保存到您的数据库中：

<p>This is a greap post
<br/>
I love this type of findings.
<br/>
<br/>
Thanks for sharing</p>

可以工作..

saving it to your database like this:

<p>This is a greap post
<br/>
I love this type of findings.
<br/>
<br/>
Thanks for sharing</p>

would work..

回复收藏 0 原文

~没有更多了~

关于作者

寒尘

暂无简介

0 文章

0 评论

24 人气

关注发私信

友情链接

文江博客

我应该如何将评论存储在数据库中，以便我可以有效地将它们作为 html 文本显示在页面上？

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

评论（3）

关于作者

相关话题

热门标签

推荐作者

已经忘了多久

15867725375

LonelySnow

走过海棠暮

轻许诺言

信馬由缰

友情链接

我应该如何将评论存储在数据库中，以便我可以有效地将它们作为 html 文本显示在页面上？

如果你对这篇内容有疑问，欢迎到本站社区发帖提问 参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

评论（3）

关于作者

相关话题

热门标签

推荐作者

已经忘了多久

15867725375

LonelySnow

走过海棠暮

轻许诺言

信馬由缰

友情链接

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。