作者 主題: htmlentities的問題  (閱讀 3840 次)

0 會員 與 1 訪客 正在閱讀本文。

yes298

  • 活潑的大學生
  • ***
  • 文章數: 380
    • 檢視個人資料
htmlentities的問題
« 於: 2007-04-09 21:05 »
代碼: [選擇]

根據 http://hk2.php.net/manual/en/function.htmlentities.php 的例子:

<?php
$str 
"A 'quote' is <b>bold</b>";

// Outputs&#58; A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities&#40;$str&#41;;

// Outputs&#58; A &#39;quote&#39; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities&#40;$str, ENT_QUOTES&#41;;
?>


--------------------------------------------------------------------------
我在我的電腦上run的結果卻不一樣, 結果如下:
A 'quote' is <b>bold</b>
A 'quote' is <b>bold</b>
這是為何, 是要修改php.ini嗎?

Yamaka

  • 俺是博士!
  • *****
  • 文章數: 4913
    • 檢視個人資料
    • http://www.ecmagic.com
htmlentities的問題
« 回覆 #1 於: 2007-04-09 21:11 »
你在瀏覽器上看的嗎?  

看一下輸出的原始碼就有結果了!

yes298

  • 活潑的大學生
  • ***
  • 文章數: 380
    • 檢視個人資料
htmlentities的問題
« 回覆 #2 於: 2007-04-10 09:25 »
原來如此, 但是像<b> <br>等HTML tags它完全顯示出來,而沒有發揮其作用,
那htmlentities()的作用在什麼?

我看了本<OReilly Essential PHP Security 2005.chm>, 它教人為了安全,在顯示前先用htmlentities()做escaping, 但若果那句中含有html tags就會直接顯示出來而沒有發揮其效用, 這可有解決方法?

For most common destinations (including the client, databases, and URLs), there is a native escaping function that you can use. If you must write your own, it is important to be exhaustive. Find a reliable and complete list of every special character in the remote system and the proper way to represent each character so that it is preserved rather than interpreted.

The most common destination is the client, and htmlentities( ) is the best escaping function for escaping data to be sent to the client. Like most string functions, it takes a string and returns the modified version of the string. However, the best way to use htmlentities( ) is to specify the two optional argumentsthe quote style (the second argument) and the character set (the third argument). The quote style should always be ENT_QUOTES in order for the escaping to be most exhaustive, and the character set should match the character set indicated in the Content-Type header that your application includes in each response.

To distinguish between escaped and unescaped data, I advocate the use of a naming convention. For data to be sent to the client, the convention I use is to store all data escaped with htmlentities( ) in $html, an array that is initialized to an empty array and contains only data that has been both filtered and escaped:

    <?php

    $html = array(  );

    $html['username'] = htmlentities($clean['username'],
      ENT_QUOTES, 'UTF-8');

    echo "<p>Welcome back, {$html['username']}.</p>";

    ?>


By using $html['username'] when sending the username to the client, you can be sure that special characters are not interpreted by the browser. If the username contains only alphanumeric characters, the escaping is not actually necessary, but it is a practice that adheres to Defense in Depth. Consistently escaping all output is a good habit that dramatically increases the security of your applications.