What do I need to escape inside the html <pre> tag

问题

I use the <pre> tag in my blog to post code. I know I have to change < to < and > to >. Are any other characters I need to escape for correct html?

回答1:

What happens if you use the <pre> tag to display HTML markup on your blog:

<pre>Use a <span style="background: yellow;">span tag with style attribute</span> to hightlight words</pre>

This will pass HTML validation, but does it produce the expected result? No. The correct way is:

<pre>Use a &lt;span style=&quot;background: yellow;&quot;&gt;span tag with style attribute&lt;/span&gt; to hightlight words</pre>

Another example: if you use the pre tag to display some other language code, the HTML encoding is still required:

<pre>if (i && j) return;</pre>

This might produce the expected result but does it pass HTML validation? No. The correct way is:

<pre>if (i &amp;&amp; j) return;</pre>

Long story short, HTML-encode the content of a pre tag just the way you do with other tags.

回答2:

The "Only For You" - HTML "fosile" version: using <xmp> tag

This is not well known, but it really does exist and even chrome still supports it, however using pair <xmp> tag is NOT recommended to be relied on - it's just for you, but its a very simple way how to do your personal e.g. DOCS. even w3.org WIKI says in example "No, really. don't use it."

You can put ANY html (excluding </xmp> end tag) inside <xmp></xmp>

<xmp>
<html> <br> just any other html tags...
</xmp>

The proper version

Proper version could be considered a HTML stored as STRING and displayed with the help of some escaping function.
Just remember one thing - the strings in C-like languages are ususally written between single quotes or double quotes - if you wrap your string in double => you should escape doubles (problably with \), if you wrap your string in single => escape singles (probably with \)...

The most common way - Server-side language escaping (ex. in PHP)

Server-side scripting languages often have some built-in function to escape HTML.

<?php
   $html = "<html> <br> or just any other HTML"; //store html
   echo htmlspecialchars($html); //display escaped html
?>

The client-side way (example in JavaScript&jQuery)

Similar approach as on server-side is achievable in client-side scripts, JavaScript, from what I know, has no built-in function for that (it's quite logical), but if you use some framework/library, like jQuery - there are functions that can be used that way.
Just remember the same thing as for server-side - in C-like languages, escape the quotes you've wrapped your string in...

var html = '<html> <br> or just any other HTML';
var $elementToInsertEscapedHTMLto = jQuery("XXX"); //XXX is selector, e.g. CSS selector
$elementToInsertEscapedHTMLto.text( html ); 

回答3:

For posting code within your markup, I suggest using the <code> tag. It works the same way as pre but would be considered semantically correct.

Otherwise, <code> and <pre> only need the angle brackets encoded.

回答4:

Use this and don't worry about any of them.

<pre>
${fn:escapeXml('
  <!-- all your code -->
')};
</pre>

You'll need to have jQuery enabled for it to work.

来源：https://stackoverflow.com/questions/1273145/what-do-i-need-to-escape-inside-the-html-pre-tag