发表新帖
发表新帖

Escaping html in Java

后端 未结
关注
3 793
别那么骄傲
别那么骄傲 2021-02-13 13:53

How do I make sure I don\'t escape something twice?

I\'ve heard that its good practice to escape values as you receive them from a form, and also escape when you output.

3条回答
  • [愿得一人]
    [愿得一人] (楼主)
    2021-02-13 14:43

    You should only html encode when you output something to a browser. This prevents XSS attacks. The kind of escaping that you do when you collect data from a form, before you insert it into a database is not html encoding. It's escaping special database characters (best done using parameterized queries). The purpose of that is to prevent SQL injection attacks. So there is no double encoding going on.

    0 讨论(0)
 看不清?
提交回复
热议问题