htmlspecialchars - 一定有更好的方法
我的理解是所有变量都应该通过视图中的 htmlspecialchars() 输出。
是否有任何方法或方法可以做到这一点,而不必在每个视图中的每个适当的行上指定函数?
我能想到的最好的办法就是有一个辅助函数,如下所示: function html_escape($var)
function h($var)
{
if (is_array($var))
{
return array_map('h', $var);
}
else
{
return htmlspecialchars($var, ENT_QUOTES, 'UTF8');
}
}
但仍然...这可能会变得非常乏味!
有什么想法吗?
My understanding is that all variables should be output through htmlspecialchars() in a view.
Are there any approaches or methods to do this, without having to specify the function on each appropriate line in each view?
The best that I could come up with is to have a helper function as follows:
function html_escape($var)
function h($var)
{
if (is_array($var))
{
return array_map('h', $var);
}
else
{
return htmlspecialchars($var, ENT_QUOTES, 'UTF8');
}
}
But still...this could get very tedious!
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以让函数
h()输出转义数据,而不是返回它。因此,不要编写你可以写。现在,这比在不转换为实体的情况下回显变量短两个字符。You may have the function
h()output the escaped data, rather than return it. Therefore, instead of writing<?php echo h($myvar); ?>you may write<?php h($myvar); ?>. This is now two characters shorter than echoing the variable without converting to entities.需要注意的一个重要区别是,并非所有变量都必须通过 htmlentities/htmlspecialchars 运行,而只是包含用户提供的内容的变量,尚未根据规则集进行过滤以防止任意代码包容性。
您可以创建一个辅助函数来稍微减少输入,或者在将用户提供的输入传递给视图之前通过控制器中的 htmlentities/htmlspecialchars 循环所有用户提供的输入(不过,这可能会降低效率,因为它不可能每个部分将显示用户提供的输入的数量)
It's an important distinction to note that not all variables must be run through htmlentities/htmlspecialchars, just ones that contain user-supplied content in anyway, that are not already filtered against a rule-set to prevent arbitrary code inclusion.
You could create a helper function to cut down on the typing slightly, or loop all user-supplied input through htmlentities/htmlspecialchars in your controllers before handing them off to the view (though, this will likely be less efficient since it is unlikely every piece of user-supplied input will be displayed)
在许多情况下,你所拥有的可能是最接近轻松逃脱的。
就我个人而言,我在变量上使用了一个小循环,如果我知道我将在 html 输出中使用任何
$_GET变量,我会运行以下命令:然后立即启动我的 html 标签。
不过,并非所有内容都需要转义,除非用户对其有任何影响。
此外,您可以有一个名为
escape.php的脚本,该脚本对您使用的常见变量(如 $_GET、$_POST、$_COOKIE 等)使用上述方法,然后include( 'escape.php')在您的脚本中使用它之前在 html 输出中使用。这在很大程度上取决于您的品味以及项目的需求。
What you have there is probably the closest you come to an easy escape in allot of situations.
Personally i use a little loop on my variables, if i know i'm going to be using any
$_GETvariables in my html output, i run this:Then start my html tags right after.
Not everything needs to be escaped though, unless the user have any influence on it.
In addition, you could have a script called
escape.php, which uses the above method on common variables you use, like $_GET, $_POST, $_COOKIE and so on, theninclude('escape.php')it in your scripts before use in the html output.All over it pretty much depends on your taste and what you need for your project.