PHP XSS清理
|
问题:
什么是最好的safe1(),safe2(),safe3()和safe4()函数来避免UTS8编码页面的XSS?它在所有浏览器(特别是IE6)中也是安全的吗? <body><?php echo safe1($xss)?></body>
<body id="<?php echo safe2($xss)?>"></body>
<script type="text/javascript">
var a = "<?php echo safe3($xss)?>";
</script>
<style type="text/css">
.myclass {width:<?php echo safe4($xss)?>}
</style>
. 很多人说可以做的绝对最好的是: // safe1 & safe2 $s = htmlentities($s,ENT_QUOTES,"UTF-8"); // But how would you compare the above to: // https://github.com/shadowhand/purifier // OR http://kohanaframework.org/3.0/guide/api/Security#xss_clean // OR is there an even better if not perfect solution? . // safe3 $s = mb_convert_encoding($s,"UTF-8","UTF-8"); $s = htmlentities($s,"UTF-8"); // How would you compare this to using using mysql_real_escape_string($s)? // (Yes,I know this is a DB function) // Some other people also recommend calling json_encode() before passing to htmlentities // What's the best solution? . 关于PHP和XSS的帖子很多. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection? XSS Me Warnings – real XSS issues? CodeIgniter – why use xss_clean
safe2()显然是
htmlspecialchars()
取代safe1(),您应该使用 safe3()尖叫正则表达式.在这里,您实际上只能将白名单应用于您真正想要的任何内容: var a = "<?php echo preg_replace('/[^-wd .,]/',"",$xss)?>";
你当然可以在这里使用json_encode来获得一个完全有效的JS语法和变量.但是你刚刚将该字符串的可利用性推迟到你的JS代码中,然后你必须在那里照看它.
如果您明确指定了charset,那么IE将不会执行其糟糕的内容检测魔法,因此可以忽略UTF7漏洞利用. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |