HTML and CSS Reference
In-Depth Information
location.host.toLowerCase().indexOf("example.org") <= 0) {
location.href="http://www.example.org/";
}// -->
</script>
If a site is dynamically generated from a database, this problem can become more frequent. A SQL database
has no trouble storing a string such as
"A&P"
in a field, and indeed it is the unescaped string that should be
stored.
When you receive data from a database or any other external source, clean it first by escaping these
ampersands. For example, in a Java environment, the Apache Commons library includes a
String-EscapeUtils
class that can encode raw data using either XML or HTML rules.
Do not forget to escape ampersands that appear in URL query strings. In particular, a URL such as this:
must become this:
This is true even inside
href
attributes of
a
elements:
<a href=
"http://example.com/search?name=detail&uid=16">
Search</a>
Search WWH ::
Custom Search