PHP XSS清理 [英] PHP XSS sanitization
问题描述
问题:
什么是最好的safe1(),safe2(),safe3()和safe4()函数来避免UTS8编码页面的XSS?它在所有浏览器(特别是IE6)中也是安全的吗?
What are the best safe1(), safe2(), safe3(), and safe4() functions to avoid XSS for UTF8 encoded pages? Is it also safe in all browsers (specifically IE6)?
<body><?php echo safe1($xss)?></body>
<body id="<?php echo safe2($xss)?>"></body>
<script type="text/javascript">
var a = "<?php echo safe3($xss)?>";
</script>
<style type="text/css">
.myclass {width:<?php echo safe4($xss)?>}
</style>
。
很多人都说绝对最好的办法是:
Many people say the absolute best that can be done is:
// safe1 & safe2
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
// But how would you compare the above to:
// https://github.com/shadowhand/purifier
// OR http://kohanaframework.org/3.0/guide/api/Security#xss_clean
// OR is there an even better if not perfect solution?
。
// safe3
$s = mb_convert_encoding($s, "UTF-8", "UTF-8");
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
// How would you compare this to using using mysql_real_escape_string($s)?
// (Yes, I know this is a DB function)
// Some other people also recommend calling json_encode() before passing to htmlentities
// What's the best solution?
。
有一个地狱的关于PHP和XSS的很多帖子。
大多数只是说使用HTMLPurifier或使用htmlspecialchars,或者说错了。
其他人说使用OWASP - 但它非常慢。
我遇到的一些好帖子如下:
There are a hell of a lot of posts about PHP and XSS. Most just say "use HTMLPurifier" or "use htmlspecialchars", or are wrong. Others say use OWASP -- but it is EXTREMELY slow. Some of the good posts I came across are listed below:
htmlspecialchars和mysql_real_escape_string能保证我的PHP代码免于注入吗?
推荐答案
safe2()显然 htmlspecialchars()
取代 safe1()你应该使用 HTMLPurifier 来清理完整的HTML blob。它会删除不需要的属性,标签,特别是任何javascriptish。是的,它很慢,但它涵盖了所有小边缘情况(即使是旧的IE版本),它允许安全的HTML用户代码段重用。但请查看 http://htmlpurifier.org/comparison 了解替代方案。 - 如果你真的只想在那里显示原始用户文本(没有过滤的html),那么 htmlspecialchars(strip_tags) ($ src)) 实际上可以正常工作。
In place of safe1() you should really be using HTMLPurifier to sanitize complete blobs of HTML. It strips unwanted attributes, tags and in particular anything javascriptish. Yes, it's slow, but it covers all the small edge cases (even for older IE versions) which allow for safe HTML user snippet reuse. But check out http://htmlpurifier.org/comparison for alternatives. -- If you really only want to display raw user text there (no filtered html), then htmlspecialchars(strip_tags($src)) would actually work fine.
safe3()尖叫正则表达式。在这里,您实际上只能将白名单应用于您真正想要的任何内容:
safe3() screams regular expression. Here you can really only apply a whitelist to whatever you actually want:
var a = "<?php echo preg_replace('/[^-\w\d .,]/', "", $xss)?>";
您当然可以在这里使用 json_encode 获得一个完全有效的JS语法和变量。但是你刚刚将该字符串的可利用性推迟到你的JS代码中,然后你必须在那里照看它。
You can of course use json_encode here to get a perfectly valid JS syntax and variable. But then you've just delayed the exploitability of that string into your JS code, where you then have to babysit it.
在所有浏览器(特别是IE6)中它是否也是安全的?
Is it also safe in all browsers (specifically IE6)?
如果明确指定charset,那么IE将不会做其可怕的内容检测魔术,因此可以忽略UTF7漏洞利用。
If you specify the charset explicitly, then IE won't do its awful content detection magic, so UTF7 exploits can be ignored.
这篇关于PHP XSS清理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
