gpt4 book ai didi

json - GSON disableHtmlEscaping - 为什么 GSON 默认情况下会转义 HTML?

转载 作者:行者123 更新时间:2023-12-01 23:08:36 34 4
gpt4 key购买 nike

我注意到 GSON HTML 转义 <>字符,可以通过使用disableHtmlEscaping()来禁用它构建器配置方法。但我的问题是 - 为什么 GSON 默认情况下会进行 HTML 转义?不进行 HTML 转义有哪些风险?

谢谢。

最佳答案

实际上,disableHtmlEscaping()方法告诉 Gson 不要转义 HTML 字符,例如 < , > , & , = ,和' .

单引号引起问题的示例:在 <script/> 中渲染未转义的 JSON HTML 页面中的标记,无需使用额外的 <![CDATA[ ... ]]>标签。

乔尔·雷奇 (Joel Leitch) 写道 a great response to a similar question 。以下是亮点:

Characters such as <, >, =, etc. are escaped because if the JSON string evaluated by Gson is embedded in an XHTML page then we do not know what characters are actually wrapping this JSON string. Therefore, if there was an open quote, then the embedded JSON followed by a closing quote then we do not know what will happen. Maybe if the Gson string contains a abc=123 and there happens to be a "var abc" defined then the embedded the Gson output in the page may cause the abc JavaScript variable to be assigned the value 123. The same thing can happen with < and > or even &.

As for the whitespace escaping, \t is an escaped character for a tab. Likewise, \n and \r are escape characters for newlines and carriage returns. Escaping whitespace like this should ensure that any editor will show the proper whitespace (if the editor properly evaluates these escaped characters).

EscaperJsonWriter类包含有关 Gson 转义的完整字符集的更多信息。

关于json - GSON disableHtmlEscaping - 为什么 GSON 默认情况下会转义 HTML?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23363843/

34 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com