json_encode是否有足够的XSS保护？ [英] Is json_encode Sufficient XSS Protection?

问题描述

我在PHP中有一个 stdClass 对象，类似于

I have a stdClass object in PHP, something like

$o = new stdClass;
$o->foo = $bar

变量 $ bar 包含不受信任的字符串。

The variable $bar contains an untrusted string.

以下PHP模板代码是否足够XSS保护

Is the following PHP template code sufficient XSS protection

<script type="text/javascript">
    var o = <?php echo json_encode($o); ?>;
</script>

我最初的直觉反应是是安全，因为编码对象因为JSON将确保任何潜在的javascript漏洞将被包含为JSON字符串属性对象而呈现为惰性。像这样的东西

My initial gut reaction is that is is safe, as encoding an object as JSON will ensure any potential javascript exploits will be rendered inert by being included as JSON string property objects. Something like this

$o = new stdClass;
$o->foo = "<script type=\"text/javascript\">alert(document.cookie)</script>";
?>
<script type="text/javascript">
    var o = <?php echo json_encode($o) ?>;    
</script>    

导致这样的输出

<script type="text/javascript">
    var o = {"foo":"<script type=\"text\/javascript\">alert(document.cookie) <\/script>"};    
</script>    

如果这是不安全的，那么有一种标准的，成熟的方式来序列化一个简单的 stdClass 对象为JSON字符串，用于HTML文档的< script /> 部分。

If this is known unsafe, is there's a standard, mature way of serializing a simple stdClass object to a JSON string for use in a the <script/> portion of an HTML document.

在预期第一个快速回答时，我意识到剥离任何HTML标记，或者以其他方式对JSON对象的每个元素进行XSS过滤都可以，但我正在寻找这是一个简洁的方法。类似于这个

In anticipation of the first quick answer, I realize that stripping out any HTML tags, or otherwise XSS filtering each element of the JSON object would work, but I'm looking for a concise way of doing this. Similar to how this

//$eBar = addslashes($bar);
$sql = sprtinf("SELECT * FROM table WHERE foo = '%s'",mysql_real_escape_string($bar));

此

$sql = $db->select('SELECT * from table where foo = ?', $bar);

（在大多数情况下）功能相同，但后者被认为是更好，更安全的代码，因为最终程序员用户不需要担心转义方案。

are (in most contexts) functionally equivalent, but the later is considered better, more secure code since the end programmer user doesn't need to worry about escaping schemes.

推荐答案

似乎这个问题的最佳答案在于另一个问题。

Seems as through the best answer to this question lies in another question.

总而言之，PHP的JSON编码器会转义所有非ASCII字符，因此不能将新行/回车符插入到JSON属性的Javascript字符串部分的bollacks中。对于其他JSON编码器可能不是这样。

To sum up, PHP's JSON encoder escapes all non ASCII characters, so newlines/carriage returns can't be inserted to bollacks up the Javascript string portion of the JSON property. This may not be true of other JSON encoders.

但是，将原始字符串传递给JSON编码会导致通常的一连串XSS攻击，以下常量组合建议。

However, passing in a raw string to JSON encode can lead to the usual litany of XSS attacks, the following combination of constants is suggested.

var v= <?php echo json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS); ?>;

或确保传递给的变量json_encode 实际上是一个对象。

or ensure the variable passed to json_encode is really an object.

这篇关于json_encode是否有足够的XSS保护？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！