是所有输出上需要htmlspecialchars()吗? [英] Is htmlspecialchars() required on ALL output?
问题描述
我正在为Expression Engine编写一些脚本,并且已经告知我们输出的每一条数据都需要清理,以防止XSS。
例如,在这里,我从数据库获取所有类别,排序到数组并返回到Expression Engine。
PHP函数
$ b
> crm_db-> select('name,url_name')
- > order_by(name,asc)
- > get_where('activities_categories',array > 1));
foreach($ query-> result()as $ row)
{
$ activityCategories [0] ['cats'] [] = array 'categoryName'=> $ row-> name,
'categoryURL'=> $ row-> url_name,
);
}
return $ this-> EE-> TMPL-> parse_variables($ this-> EE-> TMPL-> tagdata,$ activityCategories);
}
模板代码
{exp:activities:categories}
{cats}
< a href =/ {categoryURL}> {categoryName }< / a>
{/ cats}
{/ exp:activities:categories}
我被告知,我需要使用htmlspecialchars()函数在每一个正在输出的数据。
这是否有必要?
strong>例如:
foreach($ query-& result()as $ row)
{
$ activityCategories [0] ['cats'] [] = array(
'categoryName'=> htmlspecialchars($ row-> name) ,
'categoryURL'=> htmlspecialchars($ row-> url_name),
);
}
非常感谢! :)
htmlspecialchars()
其他输出媒体(例如 JS
, JSON
等)需要自己转义。
I am writing some scripts for Expression Engine and have been told that every single piece of data which we output to the page, requires 'sanitizing', to prevent XSS.
For example here, I am fetching all Categories from the database, sorting into an array and returning to Expression Engine.
PHP Function
public function categories()
{
$query = $this->crm_db->select('name, url_name')
->order_by("name", "asc")
->get_where('activities_categories', array('active'=>1));
foreach($query->result() as $row)
{
$activityCategories[0]['cats'][] = array(
'categoryName' => $row->name,
'categoryURL' => $row->url_name,
);
}
return $this->EE->TMPL->parse_variables($this->EE->TMPL->tagdata, $activityCategories);
}
Template Code
{exp:activities:categories}
{cats}
<a href="/{categoryURL}">{categoryName}</a>
{/cats}
{/exp:activities:categories}
I am being told, that I need to use htmlspecialchars() function on every single piece of data which is being outputted.
Is this necessary?
Is this correct?
Example:
foreach($query->result() as $row)
{
$activityCategories[0]['cats'][] = array(
'categoryName' => htmlspecialchars($row->name),
'categoryURL' => htmlspecialchars($row->url_name),
);
}
Many thanks! :)
htmlspecialchars()
required on ALL HTML output unless told otherwise.
Other output media (such as JS
, JSON
etc.) require their own escaping.
这篇关于是所有输出上需要htmlspecialchars()吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!