防止xss攻击的更好方法 [英] better way preventing xss attack
问题描述
这两种方法中哪一种是防止 xss 攻击的更好方法?
Which of the two is a better way to prevent an xss attack?
- 保存在 db 中的 HTMLEntities
- 显示/回显时的 HTMLEntities
我觉得第一个更好,因为您可能会在显示时忘记添加它.
I find the first one better because you may forget to add this while displaying.
推荐答案
这两者中哪一个是防止xss攻击的更好方法.
which of the two is a better way to prevent xss attack.
- 保存在 db 中的 HTMLEntities
- 显示/回显时的 HTML 实体
2 — 您应该在最后一刻转换为目标格式.例如,如果您决定使用电子邮件、PDF 中的相同内容作为文本返回给用户进行编辑等,这可以避免以后出现问题.
2 — you should convert to the target format at the last possible moment. This saves you from problems down the road should you, for example, decide you want to use the same content in an email, a PDF, as text back to the user for editing, etc, etc.
我发现第一个更好,因为你可能会在显示时忘记添加这个
i find the first one better coz you may forget to add this while displaying
你也可能忘记插入数据库.
You might forget when inserting into the database too.
此外,并非所有数据都会进入数据库.例如即将插入的数据的预览或由于错误而将数据放回表单中都是可能的 XSS 向量.您不想处理诸如在放入数据库之前编码,或者如果文档不是来自数据库而回显到文档中"之类的事情.异常是让自己陷入忘记编码的最佳方式.
Also, not all data goes into the database. e.g. A preview of data about to be inserted or data put back into a form because of errors are both possible XSS vectors. You don't want to be dealing with things like "Encode before putting into the database, or when echoing back into the document if it didn't come from a database". Exceptions are the best way to get yourself into a situation where you forget to encode.
这篇关于防止xss攻击的更好方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
