如何阻止javascript://作为url参数 [英] How to block javascript:// as url parameter

查看:82
本文介绍了如何阻止javascript://作为url参数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我目前正在为PHP中的留言簿编写PHP脚本,人们可以将其名称,网站和消息放在表单中,但我想阻止某人将javascript://放在de url框中以降低风险对于XSS,我试图解决这个问题:

 <?php filter_var($ _ POST ['website'], FILTER_VALIDATE_URL)?>

但是我仍然可以将javascript://放在de url框中我怎么能阻止这个使用preg_replace 

  $ website = preg_replace(/(javascript:\ / \ /)/ i,http://,mysql_real_escape_string($ _ POST ['website']));

或使用str_ireplace 

  $ website = str_ireplace(javascript:,http:,mysql_real_escape_string($ _ POST ['website']));


I'm currently writing a PHP script for a guestbook in PHP where people can put their name, website and messages in a form, but I want to prevent someone from putting javascript:// in de url box to reduce the risk of XSS, I've tried to solve this with:

<?php filter_var($_POST['website'], FILTER_VALIDATE_URL) ?>

But I'm still able of putting javascript:// in de url box how could I prevent this?

解决方案

with preg_replace

$website = preg_replace("/(javascript:\/\/)/i", "http://", mysql_real_escape_string($_POST['website']));

or with str_ireplace

$website = str_ireplace("javascript:", "http:", mysql_real_escape_string($_POST['website']));

这篇关于如何阻止javascript://作为url参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆