-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
<input> <textarea> <xmp>等标签中内容不做格式检查 #15
Comments
|
嗯,input 可以去掉,textarea 如果要求严格的话,里面的 <> 应该要转成实体吧? 补充,script[type] 为非脚本类型的值时,按模板处理,脚本时要考虑作脚本的规范检查 |
按模板处理就是不检查吧,现在遇上script跟style会把里边东西当纯文本。 脚本的规范检查是指要把jshint,csshint的事也做了? |
|
肯定不重复做,要有个机制抛出来来我接着处理,这块还要想想 |
<textarea>里应该做encode,这个可以检查,script要符合"restriction on script content",简单来说就是里面不能出现</script>这个串 textarea单独加一条规则检查内容就好了。 但是script的话,如果里边出现 |
|
@Justineo 从标准上来看不是……
"script content restrictions"说的就是不能出现 |
12.1.2.6 Restrictions on the contents of raw text and escapable raw text elements
其中 escapable raw text elements 包括 |
几个疑问,
The text was updated successfully, but these errors were encountered: