Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTML: Should I encode greater than or not? ( > > )

Tags:

html

encoding

xss

When encoding possibly unsafe data, is there a reason to encode >?

  • It validates either way.
  • The browser interprets the same either way, (In the cases of attr="data", attr='data', <tag>data</tag>)

I think the reasons somebody would do this are

  • To simplify regex based tag removal. <[^>]+>? (rare)
  • Non-quoted strings attr=data. :-o (not happening!)
  • Aesthetics in the code. (so what?)

Am I missing anything?

like image 996
700 Software Avatar asked Jan 25 '12 21:01

700 Software


People also ask

What does &gt mean in HTML?

&gt; stands for the greater-than sign: > &le; stands for the less-than or equals sign: ≤ &ge; stands for the greater-than or equals sign: ≥

When should I use Htmlencode?

Any time you are trying to output data that could include untrusted html, you should use HTMLENCODE . Encodes text and merge field values for use in HTML by replacing characters that are reserved in HTML, such as the greater-than sign ( > ), with HTML entity equivalents, such as &gt; .

What is the difference between Htmlencode and Urlencode?

HTMLEncoding turns this character into "&lt;" which is the encoded representation of the less-than sign. URLEncoding does the same, but for URLs, for which the special characters are different, although there is some overlap.


2 Answers

Strictly speaking, to prevent HTML injection, you need only encode < as &lt;.

If user input is going to be put in an attribute, also encode " as &quot;.

If you're doing things right and using properly quoted attributes, you don't need to worry about >. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.

like image 66
Niet the Dark Absol Avatar answered Sep 21 '22 15:09

Niet the Dark Absol


The HTML4 specification in its section 5.3.2 says that

authors should use "&gt;" (ASCII decimal 62) in text instead of ">"

so I believe you should encode the greater > sign as &gt; (because you should obey the standards).

like image 41
Basile Starynkevitch Avatar answered Sep 19 '22 15:09

Basile Starynkevitch