HTML and CSS Reference
In-Depth Information
you write
if (7 > x)
However, I normally just rely on placing the script in an external file or an XML comment instead:
<script type="text/javascript" language="javascript">
<!--
if (location.host.toLowerCase().indexOf("example.com") < 0 &&
location.host.toLowerCase().indexOf("example.org") <= 0) {
location.href="http://www.example.org/";
}// -->
</script>
This is a truly ugly hack and one I cringe to even suggest, but it is what seems to work and what browsers
expect and deal with, and it is well-formed.
A lot of these problems can spread out across a site when the site is dynamically generated from a database
and the scripts or templates that generate it do not sufficiently clean the data they're working with. A typical
SQL database has no trouble storing a string such as
x > y
in a VARCHAR field. However, when you take data
out of a database you have to clean it first by escaping any such characters. Most major templating languages
have functions for doing exactly this. For instance, in PHP the
htmlspecialchars
function converts the five
reserved characters (
>
,
<
,
&
,
'
, and
"
) into the equivalent entity references. Just make sure you use it. Even if
you think there's no possible way the data can contain reserved characters such as
<
, I still recommend cleaning
it. It doesn't take long, and it can plug some nasty security holes that arise from people deliberately injecting
weird data into your system.
Note
You do not need to escape greater-than signs, although you can. The only situation where this is
mandatory is when the three-character string
]]>
appears in regular content. This is likely to happen
only if you're writing an XML tutorial. (That's the CDATA section closing delimiter.) Nonetheless, if you're
worried about someone attempting to inject bad data into your system, you can use a similar approach
to change
>
to
>
.
Search WWH ::
Custom Search