CodeIgniter - 为什么使用 xss_clean [英] CodeIgniter - why use xss_clean
问题描述
如果我正在清理我的数据库插入,并转义我用 htmlentities($text, ENT_COMPAT, 'UTF-8')
编写的 HTML - 是否还有必要过滤输入使用 xss_clean?它还有什么其他好处?
if I'm sanitizing my DB inserts, and also escaping the HTML I write with htmlentities($text, ENT_COMPAT, 'UTF-8')
- is there any point to also filtering the inputs with xss_clean? What other benefits does it give?
推荐答案
xss_clean() 很广泛,也很愚蠢.这个函数的 90% 对防止 xss 没有任何作用.例如寻找词alert
而不是document.cookie
.没有黑客会在他们的漏洞利用中使用 alert
,他们会用 xss 劫持 cookie 或读取 CSRF 令牌来制作 XHR.
xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent xss. Such as looking for the word alert
but not document.cookie
. No hacker is going to use alert
in their exploit, they are going to hijack the cookie with xss or read a CSRF token to make an XHR.
然而,使用它运行 htmlentities()
或 htmlspecialchars()
是多余的.xss_clean()
修复问题而 htmlentities($text, ENT_COMPAT, 'UTF-8')
失败的情况如下:
However running htmlentities()
or htmlspecialchars()
with it is redundant. A case where xss_clean()
fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8')
fails is the following:
<?php
print "<img src='$var'>";
?>
一个简单的 poc 是:
A simple poc is:
http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)
http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)
这会将 onload=
事件处理程序添加到图像标记.阻止这种形式的 xss 的方法是 htmlspecialchars($var,ENT_QUOTES);
或者在这种情况下 xss_clean()
也可以阻止这种情况.
This will add the onload=
event handler to the image tag. A method of stopping this form of xss is htmlspecialchars($var,ENT_QUOTES);
or in this case xss_clean()
will also prevent this.
但是,引用自 xss_clean() 文档:
However, quoting from the xss_clean() documentation:
没有什么是 100% 万无一失的,当然,但我一直无法得到任何东西都通过了过滤器.
Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.
话虽如此,XSS 是一个输出问题
不是输入问题
.例如,这个函数不能考虑变量已经在 标签或事件处理程序中.它也不会阻止基于 DOM 的 XSS.您需要考虑您如何使用数据才能使用最佳功能.过滤所有输入数据是一种不好的做法.它不仅不安全,而且还会破坏数据,从而使比较变得困难.
That being said, XSS is an output problem
not an input problem
. For instance this function cannot take into account that the variable is already within a <script>
tag or event handler. It also doesn't stop DOM Based XSS. You need to take into consideration how you are using the data in order to use the best function. Filtering all data on input is a bad practice. Not only is it insecure but it also corrupts data which can make comparisons difficult.
这篇关于CodeIgniter - 为什么使用 xss_clean的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!