与XSS有关时htmlspecialchars与htmlentities [英] htmlspecialchars vs htmlentities when concerned with XSS

问题描述

我已经看到很多与此矛盾的答案.许多人喜欢引用php函数不能保护您免受xss侵扰的说法.

I have seen a lot of conflicting answers about this. Many people love to quote that php functions alone will not protect you from xss.

究竟什么XSS可以通过htmlspecialchars实现它，什么可以通过htmlentities来实现?

What XSS exactly can make it through htmlspecialchars and what can make it through htmlentities?

我了解功能之间的区别，但不了解您所剩下的不同级别的xss保护.有人可以解释吗?

I understand the difference between the functions but not the different levels of xss protection you are left with. Could anyone explain?

推荐答案

htmlspecialchars()不会保护您免受UTF-7 XSS漏洞的侵害，即使在IE 9中，该漏洞也仍然困扰着Internet Explorer:

htmlspecialchars() will NOT protect you against UTF-7 XSS exploits, that still plague Internet Explorer, even in IE 9: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/

例如:

<?php
$_GET['password'] = 'asdf&ddddd"fancy˝quotes˝';

echo htmlspecialchars($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&amp;ddddd&quot;fancyË

echo htmlentities($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&amp;ddddd&quot;fancy&Euml;quotes

在清理用户输入时，您应该始终使用htmlentities，很少使用htmlspecialchars.另外，您应该先始终删除标签.对于真正重要且安全的网站，您应该 从不 .使用 HTMLPurifier for PHP .

You should always use htmlentities and very rarely use htmlspecialchars when sanitizing user input. ALso, you should always strip tags before. And for really important and secure sites, you should NEVER trust strip_tags(). Use HTMLPurifier for PHP.

这篇关于与XSS有关时htmlspecialchars与htmlentities的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！