search

Home  >  Q&A  >  body text

Regarding preventing XSS attacks, HTML encoding when user inputs? HTML encoding when outputting the page? Which solution is better?

For example:
Regarding preventing XSS attacks, should HTML encoding be performed when user input? HTML encoding when outputting the page? Which solution is better?

Personally, I feel that it is more convenient to encode when inputting, because there will be more pages with output content, and it is easy to miss when encoding every time. However, in actual applications, it seems that encoding when outputting is more convenient?

天蓬老师天蓬老师2801 days ago868

reply all(3)I'll reply

  • 过去多啦不再A梦

    过去多啦不再A梦2017-05-16 12:05:00

    For xss filtering, remember,
    must be filtered on the server side! ! ! ! ! ! !
    Be sure to filter when outputting! ! ! ! !

    reply
    0
  • 黄舟

    黄舟2017-05-16 12:05:00

    Server side: Write the escape of the library and escape when displaying

    reply
    0
  • 某草草

    某草草2017-05-16 12:05:00

    I usually escape when typing to prevent SQL injection

    reply
    0
  • Cancelreply