ansaurus

Question

When should I HTML-escape data and when should I URL-escape data?

Answer 1

+2 A:

HTML Escape when you're writing anything to a HTML document.

URL Escape when you're constructing a URL to call in-code, or for a browser to call (i.e. in the href tag).

In your examples you'll want to 'Attribute' escape the attributes. (I can't remember the exact function name, but it's in HttpUtility).

Noon Silk 2010-01-28 02:39:48

What is `HttpUtility`?

bodacydo 2010-01-28 02:51:49

bodacydo: Sorry, I assumed you were using .NET. `HttpUtility` is a class in the `System.Web` namespace in .NET; if you mention what language someone may be able to provide a library/class that can help with the encoding.

Noon Silk 2010-01-28 02:53:21

I am using Python. I already found `cgi.escape` and `urllib.quote_plus` functions and now I am still trying to understand which ones to use. The guy below suggests to do both url-escaping and html-escaping at the same time...

bodacydo 2010-01-28 02:56:35

Answer 2

+1 A:

In the examples you show, it should be first URL-escaped, then HTML-escaped:

<a href="http://www.example.com?arg1=this%2C+that&amp;amp;arg2=blah"&gt;

Max Shawabkeh 2010-01-28 02:44:29

Why both? I don't quite understand :(

bodacydo 2010-01-28 02:51:32

Because it's a URL inside HTML. To be a valid URL, it has to contain only characters allowed in URLs, with invalid ones escaped. However, since to the HTML, it's simply a text value, it has to be escaped for HTML too.

Max Shawabkeh 2010-01-28 02:55:16

What would happen if I only HTML-escaped it?

bodacydo 2010-01-28 03:05:50

Most (probably all) browsers won't mind even if it's not escaped at all. A validator will protest if it's not HTML-escaped (regardless of whether it's URL-escaped). In practice, nothing will break if you don't URL-escape it, but that's the right way to handle it.

Max Shawabkeh 2010-01-28 03:13:41

Tor Valamo 2010-01-28 03:15:38

Thank you! I now understand everything!

bodacydo 2010-01-28 03:33:25

Answer 3

+1 A:

URL encoding ensures that special characters such as ? and & don't cause the URL to be misinterpreted on the receiving end. In practice, this means you'll need to URL encode any dynamic query string values that have a chance of containing such characters.

HTML encoding ensures that special characters such as > and " don't cause the browser the misinterpret the markup. Therefore you need to HTML encode any values outputted into the markup that might contain such characters.

So in your example:

DATA needs to be HTML encoded.
Any dynamic segments of URL will need to be URL encoded, then the whole string will need to be HTML encoded.
Name needs to be HTML encoded.

Nick Higgs 2010-01-28 03:11:10

Your answer was the clearest. Understood everything without asking extra questions!

bodacydo 2010-01-28 03:33:55

ansaurus

tags:

views:

answers:

When should I HTML-escape data and when should I URL-escape data?

related questions