If you rigoursly validate your HTML like I do, you've probably seen many times the warning about HTML entities. Inevitably an ampersand makes its way into your code without being properly encoded. It's almost always in a hyperlink where you're trying to pass a QueryString variable or two.
somefile.asp?this=that&blah=meh
That ampersand needs to be encoded as &. Likewise, double quotation marks need to be encoded as " and the greater than and less than symbols need to be encoded as > and < respectively. If you allow users to write things on your web site, then you need a programmatic solution. Our PHP programmer friends have one in their toolbox which we can borrow.
function htmlspecialchars(someString)' Critical that ampersand is converted first, since all entities contain them.htmlspecialchars = replace(replace(replace(replace(someString, "&", "&"), ">", ">"), "<", "<"), """", """)end functionfunction htmlspecialchars_decode(someString)htmlspecialchars_decode = replace(replace(replace(replace(someString, "&", "&"), ">", ">"), "<", "<"), """, """")end function
Posts
No comments:
Post a Comment