When encoding possibly unsafe data, is there a reason to encode <code>></code>? <ul> <li>It validates either way.</li> <li>The browser interprets the same either way, (In the cases of <code>attr="data"</code>, <code>attr='data'</code>, <code><tag>data</tag></code>)</li> </ul> I think the reasons somebody would do this are <ul> <li>To simplify regex based tag removal. <code><[^>]+>?</code> (rare)</li> <li>Non-quoted strings <code>attr=data</code>. :-o (not happening!)</li> <li>Aesthetics in the code. (so what?)</li> </ul> Am I missing anything?

Strictly speaking, to prevent HTML injection, you need only encode <code><</code> as <code>&lt;</code>. If user input is going to be put in an attribute, also encode <code>"</code> as <code>&quot;</code>. If you're doing things right and using properly quoted attributes, you don't need to worry about <code>></code>. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.

The HTML4 specification in its section 5.3.2 says that <blockquote> authors should use "<code>&gt;</code>" (ASCII decimal 62) in text instead of ">" </blockquote> so I believe you should encode the greater <code>></code> sign as <code>&gt;</code> (because you should obey the standards).

HTML: Should I encode greater than or not? ( >

Q: What does &gt mean in HTML?

&gt; stands for the greater-than sign: > &le; stands for the less-than or equals sign: ≤ &ge; stands for the greater-than or equals sign: ≥

Q: What is the difference between Htmlencode and Urlencode?

HTMLEncoding turns this character into "&lt;" which is the encoded representation of the less-than sign. URLEncoding does the same, but for URLs, for which the special characters are different, although there is some overlap.

When encoding possibly unsafe data, is there a reason to encode >?

It validates either way.
The browser interprets the same either way, (In the cases of attr="data", attr='data', <tag>data</tag>)

I think the reasons somebody would do this are

To simplify regex based tag removal. <[^>]+>? (rare)
Non-quoted strings attr=data. :-o (not happening!)
Aesthetics in the code. (so what?)

Am I missing anything?

What does &gt mean in HTML?

> stands for the greater-than sign: > ≤ stands for the less-than or equals sign: ≤ ≥ stands for the greater-than or equals sign: ≥

When should I use Htmlencode?

Any time you are trying to output data that could include untrusted html, you should use HTMLENCODE . Encodes text and merge field values for use in HTML by replacing characters that are reserved in HTML, such as the greater-than sign ( > ), with HTML entity equivalents, such as > .

What is the difference between Htmlencode and Urlencode?

HTMLEncoding turns this character into "<" which is the encoded representation of the less-than sign. URLEncoding does the same, but for URLs, for which the special characters are different, although there is some overlap.

Strictly speaking, to prevent HTML injection, you need only encode < as <.

If user input is going to be put in an attribute, also encode " as ".

If you're doing things right and using properly quoted attributes, you don't need to worry about >. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.

The HTML4 specification in its section 5.3.2 says that

authors should use ">" (ASCII decimal 62) in text instead of ">"

so I believe you should encode the greater > sign as > (because you should obey the standards).

HTML: Should I encode greater than or not? ( > > )

Tags:

html

encoding

xss

700 Software

People also ask

2 Answers

Niet the Dark Absol

Basile Starynkevitch

Recent Activity

Donate For Us

HTML: Should I encode greater than or not? ( > &gt; )