HTML Purifier不能做什么安全的PHP编程呢? [英] What does HTML Purifier do that secure PHP programming can't?
问题描述
我正在研究PHP安全最佳做法,尤其是 HTML Purifier 库.
I'm researching PHP security best practices and specifically the HTML Purifier library.
我喜欢使用第三方库来增强我的网站的安全性的想法,但是我对一些事情感到困惑...
I like the idea of using a third-party library to help strengthen the security of my sites, but I'm confused about a few things...
-
首先,这是一个普遍的问题... HTML Purifier在安全的PHP编程中做不到什么?
First, a general question... What does HTML Purifier do that practicing secure PHP programming can't?
如果我使用的是HTML Purifier,这是否意味着我可以跳过一些常见的安全措施,例如使用PHP函数来过滤输入和转义输出?
If I'm using HTML Purifier, does that mean I get to skip common security measures like using PHP functions to filter input and escape output?
针对此问题的回应注释之一似乎表明仅允许HTML标记的元素(例如WYSIWYG编辑器)才需要HTML Purifier.这是正确的吗?
One of the response comments for this question seems to suggest that HTML Purifier is only needed for elements that allow HTML tags, such as WYSIWYG editors. Is this correct?
是否有人注意到使用HTML Purifier会导致性能下降? 本文使性能影响似乎值得考虑.
Has anyone noticed a performance lag from using HTML Purifier? This article makes it seem like performance impact is worth considering.
是否存在有关将HTML Purifier与非框架PHP应用程序集成的最新教程?我发现的所有内容都是旧或
Are there any up-to-date tutorials on integrating HTML Purifier with a non-framework PHP application? Everything I've found is either old or framework-specific.
在问这个之前只是要确认我已经完成了功课...
Just to confirm that I've done my homework before asking this...
This question is essentially the same as mine, but the lone response seems to just list another best practice that the asker forgot to mention
这个丰富的"问题是关于HTML Purifier和HTML5,但具有基础知识
This 'bountiful' question is a terrific resource about HTML Purifier and HTML5, but assumes foundational knowledge
HTML Purifier网站上的此比较页更多是与其他过滤器的比较
This comparison page on HTML Purifier's site is more of a comparison to other filters
推荐答案
在接受用户的任何输入时,有两个极端:
There are two extremes when accepting any input from your users:
- 不加选择地将所有内容转义为HTML实体,因此用户无法注入任何内容.这是100%安全的,但不允许用户自由添加任何 HTML,例如 bolging 文本等.
- 在您从用户那里收到内容时将其输出.这样一来,用户可以< b> 粗体文本</b> ;,也可以有意或无意地以用户希望的任何其他形式注入脚本或与HTML混淆.
- Indiscriminately escape everything to HTML entities, so the user can inject nothing. This is 100% secure, but allows the user no freedom to add any HTML, for example for bolding text and the like.
- Output the content as you received it from the user. This allows the user to <b>bold text</b>, but also to inject scripts or mess with your HTML in any other form the user desires, intentionally or unintentionally.
HTML Purifier具有中间立场:允许用户注入 some HTML,但不能注入恶意 HTML.当然这是一件很麻烦的事情,但是HTML Purifier据说是少数几个(即使不是唯一的)正确的库之一.
HTML Purifier allows a middle ground: allow the user to inject some HTML, but not malicious HTML. That's a messy thing to attempt of course, but HTML Purifier is purportedly one of the few libraries, if not the only, that gets it right.
这是它应该用于的唯一内容.不要放弃其他安全做法.实际上,我将通过允许用户仅使用受控的标记语言来设置输入样式来完全避免整个问题,例如Markdown(Stackoverflow使用的语言).
That's the only thing it's supposed to be used for. Don't drop your other security practices. In fact, I'd avoid the whole issue entirely by allowing users to only use a controlled markup language to style their input, such as Markdown (which Stackoverflow uses).
这篇关于HTML Purifier不能做什么安全的PHP编程呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
