在MySQL中存储html的100%安全方式 [英] 100% safe way of storing html in MySQL
问题描述
我正在开发一个项目,允许公众(所以每个人)通过TinyMCE为他们自己的项目页面插入HTML。由于每个人都可以使用此功能,因此我需要100%安全的方式将TinyMCE输出插入到我的数据库中,并将其显示在另一页上,就像用户插入的一样。
XSS,SQL注入以及所有其他垃圾不是我想要在我的新网站上提供的!我可以做htmlentities - > htmlspecialchars并在稍后使用htmlentities_decode,但这是100%安全的,它是做到这一点的最好方法吗? 在大多数情况下,使用预准备语句很容易避免SQL注入。
如果您计划允许用户发布HTML标记,则XSS会更加困难。您需要从标签中删除所有< script> 标签,所有关于* 属性,所有 javascript: urls,即使如此,这可能不能完全保证使输入HTML安全。有些库可以提供帮助,例如 HTMLPurifier ,但只要您允许使用HTML,就有可能让某些东西恶意通过。
您可以使用实现诸如markdown或wikitext之类的库。这严重限制了用户可以输入的内容,同时仍然允许他们在一定程度上标记内容。它并不是完全防护的(人们仍然可以将链接发布到恶意网站,并希望用户点击它们,有些人实际上已经足够天真),并且您将无法使用丰富的编辑器,如TinyMCE,而无需进行某种排序的插件,但它是一个简单的工作来消毒降价比消毒HTML。
I'm working on a project where the public (so everyone) is allowed to insert HTML through TinyMCE for their own project page. Since everyone is allowed to use this feature, I need a 100% safe way of inserting the TinyMCE output into my database, and showing it on another page just as it was inserted by the user.
XSS, SQL injection and all that other crap is not what I want on my new website! I could do htmlentities -> htmlspecialchars and later on use htmlentities_decode, but is this 100% safe, and it is the best way of doing it?
SQL injection is in most cases easily avoided with the use of prepared statements.
XSS is more difficult if you're planning to allow users to post HTML markup. You need to remove all <script> tags, all on* attributes from tags, all javascript: urls, and even then that's probably not fully guaranteed to make the input HTML safe. There are libraries such as HTMLPurifier that can help, but so long as you allow HTML, you're at risk of letting something malicious through.
You could use a library that implements something such as markdown or wikitext instead. This severely limits what users can enter, whilst still letting them mark the content up to an extent. It's not fullproof (people can still just post links to malicious sites and hope users click through to them,which some will be naive enough to actually do), and you'll not be able to use a rich editor such as TinyMCE without some sort of plugin, but it's a much simpler job to sanitize markdown than it is to sanitize HTML.
这篇关于在MySQL中存储html的100%安全方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
