防止XSS或其他东西的正则表达式? [英] Regular expressions to prevent XSS or something else?
问题描述
我正在尝试保护我的网站免受跨站点脚本(XSS)的侵扰,并且正在考虑使用正则表达式来验证用户输入.
I am trying to protect my website from Cross-Site Scripting (XSS) and I'm thinking of using regular expressions to validate user inputs.
这是我的问题:我有一个危险的HTML标签列表...
Here is my question: I have a list of dangerous HTML tags...
<applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object>
...并且我想将它们包括在正则表达式中-这可能吗?如果没有,我应该怎么用?您有任何想法如何实现类似的东西吗?
...and I want to include them in regular expressions - is this possible? If not, what should I use? Do you have any ideas how to implement something like that?
推荐答案
Please read over the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for a broad array of information. Black listing tags is not a very efficient way to do it and will leave gaps. You should filter input, sanitize before outputting to browser, encode HTML entities, and various other techniques discussed in my link.
这篇关于防止XSS或其他东西的正则表达式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!