用户输入过滤 - 我需要过滤 HTML 吗? [英] User input filtering - do I need to filter HTML?

问题描述

注意:我在别处负责 SQL 注入和输出转义 - 这个问题仅与输入过滤有关，谢谢.

我正在重构我的用户输入过滤功能.在使用 filter_var() 将 GET/POST 参数传递给特定于类型的过滤器之前 我执行以下操作:

I'm in the middle of refactoring my user input filtering functions. Before passing the GET/POST parameter to a type-specific filter with filter_var() I do the following:

• 使用 mb_detect_encoding() 检查参数编码
• 使用 iconv() 转换为 UTF-8(使用//IGNORE) 如果它不是 ASCII 或 UTF-8
• 使用 GnuCitizen.org 上的一个函数来清理空白
• 通过 strip_tags() 传递结果 - 无标签完全允许，仅 Markdown

• check the parameter encoding with mb_detect_encoding()
• convert to UTF-8 with iconv() (with //IGNORE) if it's not ASCII or UTF-8
• clean white-spaces with a function found on GnuCitizen.org
• pass the result thru strip_tags() - no tags allowed at all, Markdown only

现在的问题是:将参数传递给像 htmLawed 或 HTML Purifier，或者我可以认为输入是安全的吗?在我看来，这两者的主要区别在于允许的 HTML 元素和属性的粒度(我不感兴趣，因为我删除了所有内容)，但是 htmLawed 文档有一个关于 '危险字符'表明可能有使用它的理由.在这种情况下，它的合理配置是什么?

Now the question: does it still make sense to pass the parameter to a filter like htmLawed or HTML Purifier, or can I think of the input as safe? It seems to me that these two differ mostly on the granularity of allowed HTML elements and attributes (which I'm not interested into, as I remove everything), but htmLawed docs have a section about 'dangerous characters' that suggests there might be a reason to use it. In this case, what would be a sane configuration for it?

推荐答案

有许多不同的 XSS 安全方法.知道您的方法是否有效的唯一原因是通过开发进行测试.我建议使用 免费 XSS 漏洞扫描器*，或开源 wapiti.

There are many different approaches to XSS that are secure. The only why to know if your approach holds water is to test though exploitation. I recommend using a Free XSS vulnerability Scanner*, or the open source wapiti.

老实说我永远不会使用strip_tags()，因为你并不总是需要html标签来执行javascript！我喜欢 htmlspecialchars($var,ENT_QUOTES); .

To be honest I'll never use strip_tags() becuase you don't always need html tags to execute javascript! I like htmlspecialchars($var,ENT_QUOTES); .

例如，这很容易受到 xss 的攻击:

For instance this is vulnerable to xss:

print('<A HREF="http://www.xssed.com/'.strip_tags($_REQUEST[xss]).'">link</a>');

在这种情况下，您不需要 <> 来执行 javascript，因为您可以使用onmouseover，这是一个示例攻击:

You don't need <> to execute javascript in this case because you can use onmouseover, here is an example attack:

$_REQUEST[xss]='" onMouseOver="alert(/xss/)"';

ENT_QUOTES 将处理双引号，这将修补此 XSS 漏洞.

The ENT_QUOTES will take care of the double quotes which will patch this XSS vulnerability.

*我隶属于该网站/服务.

*I am affiliated with this site/service.

这篇关于用户输入过滤 - 我需要过滤 HTML 吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！