在PHP站点中避免xss攻击的最佳实践是什么 [英] What are the best practices for avoiding xss attacks in a PHP site
问题描述
我已经配置了PHP,以便打开了魔引号,并且关闭了全局寄存器.
I have PHP configured so that magic quotes are on and register globals are off.
我会竭力始终对我从用户输入派生的任何输出调用htmlentities().
I do my best to always call htmlentities() for anything I am outputing that is derived from user input.
我有时还会在数据库中查找xss附带的常见内容,例如...
I also occasionally seach my database for common things used in xss attached such as...
<script
我还应该做些什么,以及如何确保要尝试做的事情总是完成.
What else should I be doing and how can I make sure that the things I am trying to do are always done.
推荐答案
转义输入并不是成功执行XSS预防的最佳方法.输出也必须转义.如果使用Smarty模板引擎,则可以使用|escape:'htmlall'
修饰符将所有敏感字符转换为HTML实体(我使用自己的|e
修饰符,这是上面的别名).
Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:'htmlall'
modifier to convert all sensitive characters to HTML entities (I use own |e
modifier which is alias to the above).
我对输入/输出安全性的处理方法是:
My approach to input/output security is:
- 存储用户输入未修改(输入不转义HTML,仅通过PDO准备的语句完成DB感知转义)
- 根据您使用的输出格式(例如HTML和JSON需要不同的转义规则)来转义输出
这篇关于在PHP站点中避免xss攻击的最佳实践是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!