如何阻止javascript://作为url参数 [英] How to block javascript:// as url parameter
本文介绍了如何阻止javascript://作为url参数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我目前正在为PHP中的留言簿编写PHP脚本,人们可以将其名称,网站和消息放在表单中,但我想阻止某人将javascript://放在de url框中以降低风险对于XSS,我试图解决这个问题:
<?php filter_var($ _ POST ['website'], FILTER_VALIDATE_URL)?>
但是我仍然可以将javascript://放在de url框中我怎么能阻止这个使用preg_replace
$ website = preg_replace(/(javascript:\ / \ /)/ i,http://,mysql_real_escape_string($ _ POST ['website']));
或使用str_ireplace
$ website = str_ireplace(javascript:,http:,mysql_real_escape_string($ _ POST ['website']));
I'm currently writing a PHP script for a guestbook in PHP where people can put their name, website and messages in a form, but I want to prevent someone from putting javascript:// in de url box to reduce the risk of XSS, I've tried to solve this with:
<?php filter_var($_POST['website'], FILTER_VALIDATE_URL) ?>
But I'm still able of putting javascript:// in de url box how could I prevent this?
解决方案
with preg_replace
$website = preg_replace("/(javascript:\/\/)/i", "http://", mysql_real_escape_string($_POST['website']));
or with str_ireplace
$website = str_ireplace("javascript:", "http:", mysql_real_escape_string($_POST['website']));
这篇关于如何阻止javascript://作为url参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文