是所有输出上需要htmlspecialchars()吗? [英] Is htmlspecialchars() required on ALL output?

查看:117
本文介绍了是所有输出上需要htmlspecialchars()吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在为Expression Engine编写一些脚本,并且已经告知我们输出的每一条数据都需要清理,以防止XSS。



例如,在这里,我从数据库获取所有类别,排序到数组并返回到Expression Engine。



PHP函数



$ b 

  > crm_db-> select('name,url_name')
  - > order_by(name,asc)
  - > get_where('activities_categories',array > 1)); 
 
 foreach($ query-> result()as $ row)
 {
 $ activityCategories [0] ['cats'] [] = array 'categoryName'=> $ row-> name,
'categoryURL'=> $ row-> url_name,
); 
} 
 return $ this-> EE-> TMPL-> parse_variables($ this-> EE-> TMPL-> tagdata,$ activityCategories); 
}

模板代码 

  {exp:activities:categories} 
 {cats} 
< a href =/ {categoryURL}> {categoryName }< / a> 
 {/ cats} 
 {/ exp:activities:categories}



我被告知,我需要使用htmlspecialchars()函数在每一个正在输出的数据。



这是否有必要?

strong>



例如:

  foreach($ query-& result()as $ row)
 {
 $ activityCategories [0] ['cats'] [] = array(
'categoryName'=> htmlspecialchars($ row-> name) ,
'categoryURL'=> htmlspecialchars($ row-> url_name),
); 
}

非常感谢! :)

解决方案

htmlspecialchars()



其他输出媒体(例如 JS JSON 等)需要自己转义。


I am writing some scripts for Expression Engine and have been told that every single piece of data which we output to the page, requires 'sanitizing', to prevent XSS.

For example here, I am fetching all Categories from the database, sorting into an array and returning to Expression Engine.

PHP Function

public function categories()
{
    $query = $this->crm_db->select('name, url_name')
        ->order_by("name", "asc")
        ->get_where('activities_categories', array('active'=>1));

    foreach($query->result() as $row)
    {
        $activityCategories[0]['cats'][] = array(
                    'categoryName' => $row->name,
                    'categoryURL' => $row->url_name,
                );
    }   
    return $this->EE->TMPL->parse_variables($this->EE->TMPL->tagdata, $activityCategories);
}

Template Code

            {exp:activities:categories}
                {cats}
                    <a href="/{categoryURL}">{categoryName}</a>
                {/cats}
            {/exp:activities:categories}

I am being told, that I need to use htmlspecialchars() function on every single piece of data which is being outputted.

Is this necessary?

Is this correct?

Example:

foreach($query->result() as $row)
{
    $activityCategories[0]['cats'][] = array(
                'categoryName' => htmlspecialchars($row->name),
                'categoryURL' => htmlspecialchars($row->url_name),
            );
}

Many thanks! :)

解决方案

htmlspecialchars() required on ALL HTML output unless told otherwise.

Other output media (such as JS, JSON etc.) require their own escaping.

这篇关于是所有输出上需要htmlspecialchars()吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆