是$ _SERVER ['HTTP_REFERER']安全吗? [英] is $_SERVER['HTTP_REFERER'] safe?

问题描述

我正在使用$ _SERVER ['HTTP_REFERER']生成动态反向链接.

I'm using $_SERVER['HTTP_REFERER'] to generate a dynamic back link.

<a href="<?php echo $_SERVER['HTTP_REFERER'] ?>">Return to..blah</a>

这样做合理吗?

推荐答案

不是这样.

它可能不存在. (这可能是错误的，某些个人防火墙软件包出于隐私原因混淆了引荐来源，一路违反了HTTP规范)

It might not be present. (It might be wrong, some personal firewall packages obfuscate the referer for privacy reasons, violating the HTTP spec along the way)

您应该通过htmlspecialchars运行来自系统外部的任何内容，以防御XSS攻击(尽管IIRC，引用程序中绝对不应包含任何危险字符，因为它们应该是URL安全的，应养成始终保持习惯的习惯)保持谨慎).

You should run anything coming from outside your system through htmlspecialchars to guard against XSS attacks (although, IIRC, the referer should never have any dangerous characters in it as they should be URL safe you should keep in the habit of always being cautious).

尽管浏览器带有后退按钮，但无需尝试重​​复其功能(尤其是当用户单击标记为后退"的链接时，它不会使它们退回到历史记录中，因此单击正常的后退按钮将在概念上将它们向前移动.

Browsers come with back buttons though, there is no need to try to duplicate their functionality (especially when, with this, if the user clicks a link marked "back" it doesn't take them back in their history, so clicking the normal back button will conceptually take them forwards).

这篇关于是$ _SERVER ['HTTP_REFERER']安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！