消毒输入但输出不符合预期 [英] Sanitizing input but output not as expected
问题描述
这是我的一种形式(PHP + MySQL,用TinyMCE代替textarea).它记录了带有段落,项目符号,标题和文本对齐方式(右,左,中和对齐)的描述.
This is one of my forms(PHP+MySQL, textarea replaced by TinyMCE). It records description with paragraphs, bullets, headings and text alignment (right, left, center and justify).
提交后,记录显示为
<p style="text-align: justify;"><strong>Introduction</strong></p>
<p style="text-align: justify;">The death of the pixel leaves you with a flowing, magazine-quality canvas to design for. A canvas where curves are curves, not ugly pixel approximations of curves. A canvas that begins to blur the line between what we consider to be real and what we consider to be virtual.</p>
<p style="text-align: justify;">It wasn't too long ago that there was one set of rules for use of type on print and use of type on screen. Now that we have screens that are essentially print quality, we have to reevaluate these conventions.</p>
<p style="text-align: justify;">Web sites are transforming from boring fields of Arial to embrace the gamut of typographical possibilities offered by web fonts. Web fonts, combined with the style and layout options presented by the creative use of CSS and JavaScript offer a new world of typographic oppor</p>
<ol>
<li style="text-align: justify;">point 1</li>
<li style="text-align: justify;">point 2</li>
<li style="text-align: justify;">point 3</li>
</ol>
我了解到您需要清理进入数据库的所有数据,以避免 XSS ,并开始寻找解决方案.
I read that you need to sanitize any data that goes into the database to avoid XSS and started looking for a solution.
我找到的解决方案是使用"htmlspecialchars()"(来源:Lynda.com-创建安全的PHP网站).
The solution I found is to use "htmlspecialchars()" (Source: Lynda.com - Creating Secure PHP Websites).
因此,本教程说,我们需要先清理输入内容,然后再保存到数据库并使用(示例代码)
So, the tutorial says that we need to sanitize our input before saving to the database and use something like (sample code)
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST') {
$category_description = $_POST['category_description'];
echo $category_description;
echo '<br><br>';
echo htmlspecialchars($category_description);
echo '<br><br>';
echo htmlentities($category_description);
echo '<br><br>';
echo strip_tags($category_description);
}
?>
避免使用 XSS .
直到这里我都知道. htmlspecialchars()函数将一些预定义的字符转换为HTML实体,htmlentities()将字符转换为HTML实体,strip_tags()完全删除所有标记.
I get it till here. The htmlspecialchars() function converts some predefined characters to HTML entities, htmlentities() converts characters to HTML entities and strip_tags() removes any tags altogether.
但是在使用htmlspecialchars(),htmlentities()和strip_tags()之后,输出现在呈现为
But after using htmlspecialchars(), htmlentities() and strip_tags(), the output now renders as
我认为这是安全的,但是从数据库中获取时在首页上看起来并不好.
which I believe is safe but doesn't looks good on the front page when fetched from database.
如何呈现已通过htmlspecialchars或htmlentities传递的输入?
How do I render an input which has been passed through htmlspecialchars or htmlentities?
推荐答案
我的建议是建立一个清理所有文本输入的函数和一个检查来自数据库或任何其他来源的所有输出的函数,例如: :
My suggestion is to build a function to sanitize all your text inputs and a function to check all your outputs that comes from the database or any other sources, like following:
<?php
// filter for user input
function filterInput($content)
{
$content = trim($content);
$content = stripslashes($content);
return $content;
}
//filter for viewing data
function filterOutput($content)
{
$content = htmlentities($content, ENT_NOQUOTES);
$content = nl2br($content, false);
return $content;
}
根据您的策略,您可能在过滤器中添加了其他功能或删除了一些功能.但是您在这里拥有的功能足以保护您免受XSS的侵害.
depending on your strategy, you might added extra features to the filter or remove some. But what you have a function here is enough to protect you against XSS.
编辑:除了上述功能外,此答案可能与您的网站保护息息相关.
in addition to above function, this answer might also be relevant in part of your website protection.
参考不同的方法:
- 修剪: http://php.net/manual/en/function.trim .php
- stripslashes: http://php.net/manual/en/function.stripslashes .php
- html实体: http://php.net/manual/en/function.html实体.php
- nl2br: http://php.net/manual/en/function.nl2br .php
- trim: http://php.net/manual/en/function.trim.php
- stripslashes: http://php.net/manual/en/function.stripslashes.php
- htmlentities: http://php.net/manual/en/function.htmlentities.php
- nl2br: http://php.net/manual/en/function.nl2br.php
查看以下链接也是一个好主意:
It is also a good idea to look at following links:
- What's the best method for sanitizing user input with PHP?
- The ultimate clean/secure function
重要的是,要意识到十大风险并对其进行更多了解.
And importantly it is good to be aware of Top 10 risks and learn more about it.
这篇关于消毒输入但输出不符合预期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
