Codeigniter - 禁用基于帖子的XSS过滤 [英] Codeigniter - Disable XSS filtering on a post basis
问题描述
我尝试在网站背面设置CMS,但是只要发布数据中有< a href = ...
,则发布数据
我在
中有 $ config ['global_xss_filtering'] = TRUE;
> 我的问题是有一种方法禁用一个项目的xss过滤?
例如
$ this-> input-> post('content',true);
- 启用,但如何关闭?
感谢大家。
PVS
如果要更改 post()
方法的默认行为,可以扩展核心输入库, lazy你可以改变输入库的278行(大约):
/ **
*从POST数组中获取一个项目
*
* @access public
* @param string
* @param bool
* @return string
*
function post($ index ='',$ xss_clean = TRUE)
{
return $ this-> _fetch_from_array($ _ POST,$ index,$ xss_clean);
}
这里唯一的区别是我将$ xss_clean变量更改为 TRUE
而不是 FALSE
。现在你可以关闭全局XSS过滤,它会自动过滤输入,除非你在调用Input库的 post()
方法中指定false作为第二个参数。只有一个方法是 get()
方法,你可以以同样的方式改变。
,如果我是你,我只是扩展原生库,因为有一个很好的机会,你会忘记这一点,当你更新CodeIgniter,然后你会突然想知道你为什么得到XSS攻击。它看起来像这样:
class MY_Input extends CI_Input {
function My_Input()
{
parent :: CI_Input();
}
函数post($ index ='',$ xss_clean = TRUE)
{
return parent :: post($ index,$ xss_clean);
}
}
您可以在这里了解更多关于扩展库的信息: p>
http://codeigniter.com/user_guide/general/creating_libraries.html
I'm trying to set up a CMS on the back of a site but whenever post data has a <a href=...
in it the post data gets scrapped.
I've got $config['global_xss_filtering'] = TRUE;
in config
My question is there a way of disabling xss filtering for one item?
e.g.
$this->input->post('content', true);
- turns it on, but how to turn it off?
Thanks everyone.
PVS
If you want to change the default behavior of the post()
method, you can extend the core Input library, or if you're lazy you can just change line 278 (or so) of the Input library to read:
/**
* Fetch an item from the POST array
*
* @access public
* @param string
* @param bool
* @return string
*/
function post($index = '', $xss_clean = TRUE)
{
return $this->_fetch_from_array($_POST, $index, $xss_clean);
}
The only difference here is that I've changed the $xss_clean variable to TRUE
instead of FALSE
. Now you can turn off global XSS filtering and it will automatically filter inputs unless you specify false as the second parameter in your call to the Input library's post()
method. Just one method down is the get()
method, and you can change that in the same way.
However, if I were you, I'd just extend the native library, because there's a good chance you'll have forgotten about this by the time you update CodeIgniter, and then you'll suddenly be wondering why you're getting XSS attacked. That would look like this:
class MY_Input extends CI_Input {
function My_Input()
{
parent::CI_Input();
}
function post($index = '', $xss_clean = TRUE)
{
return parent::post($index, $xss_clean);
}
}
You can learn more about extending libraries here:
http://codeigniter.com/user_guide/general/creating_libraries.html
这篇关于Codeigniter - 禁用基于帖子的XSS过滤的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!