why does _.escape modify / characters in Underscore.js?

 ̄綄美尐妖づ 提交于 2019-12-10 02:36:59

问题


I was looking through the Underscore.js api and I noticed that _.escape escapes &, <, >, ", ', and / characters. What surprised me was escaping /.

Is there a reason to escape / characters that I don't know about?


回答1:


EDIT: Alright, apparently, it is recommended by OWASP as it "helps end a HTML entity".

Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

& --> &amp;
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27;     &apos; is not recommended
/ --> &#x2F;     forward slash is included as it helps end an HTML entity


来源:https://stackoverflow.com/questions/8298274/why-does-escape-modify-characters-in-underscore-js

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!