回显变量时防止 XSS 攻击 [英] Prevent from XSS attacks when echoing variables
问题描述
当我在 PHP 中回显变量时,我需要防止 XSS 攻击.
I need to prevent from XSS attacks when I echoing variables in PHP.
例如,假设我的数据库中有两个值,一个是用户名,另一个是电子邮件地址.
For example, just assume I have two values from my database, one for username and the other one is email address.
$username
$email
所以现在我想在我的 HTML 中使用这些变量时防止 XSS 攻击.
So now I want to prevent from XSS attack when I using these variables in my HTML.
我使用 htmlspecialchars() 尝试了类似的方法 -
I tried it something like this using htmlspecialchars() -
<h5>Editing User <?php echo '"<strong>'.htmlspecialchars($username, ENT_QUOTES, 'UTF-8').'"</strong> (<strong>'; echo htmlspecialchars($email, ENT_QUOTES, 'UTF-8').'</strong>)'; ?></h5>
这是从上面PHP
<h5>Editing User <strong>test_user</strong> (<strong>example@gmail.com</strong>)</h5>
那么,有人能告诉我这是我需要走的正确方法吗?如果不是这样,正确的方法是什么?
So, can somebody tell me is this the correct way do I need to go? If not so what is the correct way?
希望有人可以帮助我.谢谢你.
Hope somebody may help me out. Thank you.
推荐答案
HTML 实体编码适用于放入 HTML 文档正文(例如标签内)的不受信任数据.它甚至适用于进入属性的不受信任的数据,特别是如果您热衷于在属性周围使用引号.但是,如果您将不受信任的数据放入标签中的任何位置,或者将事件处理程序属性(如 onmouseover)放入 CSS 中,或者放入 URL 中,则 HTML 实体编码将不起作用.因此,即使您到处都使用 HTML 实体编码方法,您仍然很可能容易受到 XSS 的攻击.您必须对要放入不可信数据的 HTML 文档部分使用转义语法.这就是以下规则的全部内容.
HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into. That's what the rules below are all about.
OWASP中的更多信息.
使用 htmlspecialchars 的正确方法是这样的:
The correct way to use htmlspecialchars is something like this:
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
另外,请记住,用户可以发送像Jim onclick=alert('hi')"这样的用户名
Also, have in mind that a user could send a username like "Jim onclick=alert('hi')"
如果您不将 value 属性用引号括起来,您会得到如下结果:
If you don't wrap in quotes the value attribute, you'd get something like:
<input type="text" name="username" value=Jim onclick=alert('hi')>
总是在属性周围使用引号.即使它们不是用户输入的,也是一个好习惯.
ALWAYS use quotes around attributes. Even if they aren't user-inputted, it's a good habit to get into.
<input type="text" name="username" value="<?php echo htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8'); ?>">
考虑到这些事情,您应该在大多数情况下都得到保障.但是,如果你真的很挑剔,请阅读我之前提到的 OWASP 文档,它真的很有帮助.
Having these things in mind, you should be covered for most of the cases. However, if you want to be really picky, do read the OWASP document I mentioned before, it's really helpful.
更新
htmlspecialchars 与 htmlentities 似乎存在一些争议.我将总结我一直在阅读的一些内容,您可以选择两者中的任何一个:
There seems to be some controversy about htmlspecialchars vs htmlentities. I'm going to sum up a few things I've been reading and you can choose whatever of the two:
UTF-7 问题
htmlspecialchars 和 htmlentities 都容易受到臭名昭著的 UTF-7 问题的影响.他们都不支持这种编码.正如您在帖子底部提供的 SO 帖子的一些评论中所读到的:
Both htmlspecialchars and htmlentities are subceptible to the infamous UTF-7 problem. None of them support this encoding. As you can read in some of the comments of the SO posts provided at the bottom of the post:
如果您的页面/浏览器容易受到 UTF-7 问题的影响,htmlentities不会像 htmlspecialchars 那样帮助你.两者的他们将插入 < 的 UTF-7 编码.和 > 作为安全"的 ASCII字符并通过它们.
If your page/browser is vulnerable to the UTF-7 issue,
htmlentitiesisn't going to help you any more thanhtmlspecialcharswill. Both of them will interpet the UTF-7 encodings of < and > as just "safe" ASCII chars and pass them through.
解决方案:不要使用 UTF-7,并确保使用与文档相同的字符编码完成转义以避免引号消失:在您的标题中建立网页的编码与您将在 htmlspecialchars 中使用的编码相同(例如 UTF-8):
Solution: Don't use UTF-7 and also make sure that escaping is done using the same character encoding that the document is being served as to avoid disappearing quotes: establish in the header of your webpage the same encoding as the one you'll use in htmlspecialchars (UTF-8 for instance):
header('Content-Type: text/html; charset=utf-8');
htmlspecialchars 如果不指定第三个参数,将默认为 UTF-8(在 PHP 5.4/5.5 中),因此即使您忘记设置它也应该是安全的.
htmlspecialchars will default to UTF-8 (in PHP 5.4/5.5) if you don't specify the third parameter so you should be safe even if you forgot to establish it.
查看这篇关于该主题的有趣文章(以及一些关于 XSS 的更有用的信息).LINK
Check this interesting article talking about the topic (and some more useful info about XSS). LINK
htmlentities() 与 htmlspecialchars()
htmlspecialchars
- 当不需要对所有具有 HTML 等效项的字符进行编码时使用它,最好使用 htmlspecialchars,因为向客户端发送的代码较少.这不是一个可以掉以轻心的问题:发送的代码更少,网页速度更快.代码也比 htmlentities 生成的代码更具可读性.
- 有时您要编写 XML 数据,而无法在 XML 文件中使用 HTML 实体.
htmlentities
- 当需要对所有字符进行编码时.如果您的网页使用 ASCII 或 LATIN-1 等编码而不是 UTF-8.
检查我提供的文档和这个 SO 问题:
Check the documentation I provided and this SO questions:
htmlentities() 与 htmlspecialchars()
关注 XSS 时的 htmlspecialchars 与 htmlentities
然后选择最适合您的那个.
and choose the one that suits you best.
这篇关于回显变量时防止 XSS 攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
