CodeIgniter - 为什么使用 xss_clean [英] CodeIgniter - why use xss_clean
问题描述
如果我正在清理我的数据库插入,并转义我用 htmlentities($text, ENT_COMPAT, 'UTF-8') 编写的 HTML - 是否还有必要过滤输入使用 xss_clean?它还有什么其他好处?
if I'm sanitizing my DB inserts, and also escaping the HTML I write with htmlentities($text, ENT_COMPAT, 'UTF-8') - is there any point to also filtering the inputs with xss_clean? What other benefits does it give?
推荐答案
xss_clean() 很广泛,也很愚蠢.这个函数的 90% 对防止 xss 没有任何作用.例如寻找词alert 而不是document.cookie.没有黑客会在他们的漏洞利用中使用 alert,他们会用 xss 劫持 cookie 或读取 CSRF 令牌来制作 XHR.
xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent xss. Such as looking for the word alert but not document.cookie. No hacker is going to use alert in their exploit, they are going to hijack the cookie with xss or read a CSRF token to make an XHR.
然而,使用它运行 htmlentities() 或 htmlspecialchars() 是多余的.xss_clean() 修复问题而 htmlentities($text, ENT_COMPAT, 'UTF-8') 失败的情况如下:
However running htmlentities() or htmlspecialchars() with it is redundant. A case where xss_clean() fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8') fails is the following:
<?php
print "<img src='$var'>";
?>
一个简单的 poc 是:
A simple poc is:
http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)
http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)
这会将 onload= 事件处理程序添加到图像标记.阻止这种形式的 xss 的方法是 htmlspecialchars($var,ENT_QUOTES); 或者在这种情况下 xss_clean() 也可以阻止这种情况.
This will add the onload= event handler to the image tag. A method of stopping this form of xss is htmlspecialchars($var,ENT_QUOTES); or in this case xss_clean() will also prevent this.
但是,引用自 xss_clean() 文档:
However, quoting from the xss_clean() documentation:
没有什么是 100% 万无一失的,当然,但我一直无法得到任何东西都通过了过滤器.
Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.
话虽如此,XSS 是一个输出问题 不是输入问题.例如,这个函数不能考虑变量已经在
