输入是URL,如何保护它免受xss的侵害 [英] input is URL, how to protect it from xss
问题描述
我有一个接受URL的表单文本字段.提交表单后,我将使用适当的anti-sql-injection将此字段插入数据库.我的问题是关于xss的.
I have a form text field that accepts a url. When the form is submitted, I insert this field into the database with proper anti-sql-injection. My question though is about xss.
此输入字段是url,我需要在页面上再次显示它.在进入数据库的途中如何保护它免受xss的侵害(我已经考虑了sql注入,因此我认为什么都不需要了),以及在退出数据库的途中如何保护它?
This input field is a url and I need to display it again on the page. How do I protect it from xss on the way into the database (I think nothing is needed since I've already taken care of sql injection) and on the way out of the database?
让我们假装我们像这样,我正在简化它,请不要担心sql注入.那之后我从哪里去?
Let's pretend we have it like this, I'm simplifying it, and please don't worry about sql injection. Where do I go from here after that?
$url = $_POST['url'];
谢谢
推荐答案
假定将其放入HTML内容中(例如,在<body>和</body>之间或在<div>和</div>之间),需要编码5个特殊的XML字符(&,<,>,,"),并且OWASP建议还包括斜杠(/).PHP内置
Assuming this is going to be put into HTML content (such as between <body> and </body> or between <div> and </div>), you need to encode the 5 special XML characters (&, <, >, ", '), and OWASP recommends including slash (/) as well. The PHP builtin, htmlentities() will do the first part for you, and a simple str_replace() can do the slash:
function makeHTMLSafe($string) {
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
$string = str_replace('/', '/', $string);
return $string;
}
但是,如果要将污点值放入HTML属性(例如<a的href=子句),那么您需要编码一组不同的字符([ ]%* +,-/;< => ^和|)-并且必须对HTML属性加双引号:
If, however, you're going to be putting the tainted value into an HTML attribute, such as the href= clause of an <a, then you'll need to encode a different set of characters ([space] % * + , - / ; < = > ^ and |)—and you must double-quote your HTML attributes:
function makeHTMLAttributeSafe($string) {
$scaryCharacters = array(32, 37, 42, 43, 44, 45, 47, 59, 60, 61, 62, 94, 124);
$translationTable = array();
foreach ($scaryCharacters as $num) {
$hex = str_pad(dechex($num), 2, '0', STR_PAD_LEFT);
$translationTable[chr($num)] = '&#x' . $hex . ';';
}
$string = strtr($string, $translationTable);
return $string;
}
最后一个问题是非法的UTF-8字符-当传递给某些浏览器时,格式不正确的UTF-8字节序列可能会突破HTML实体.为了防止这种情况,只需确保您获得的所有UTF-8字符都是有效的:
The final concern is illegal UTF-8 characters—when delivered to some browsers, an ill-formed UTF-8 byte sequence can break out of an HTML entity. To protect against this, simply ensure that all the UTF-8 characters you get are valid:
function assertValidUTF8($string) {
if (strlen($string) AND !preg_match('/^.{1}/us', $string)) {
die;
}
return $string;
}
该正则表达式上的u修饰符使其成为Unicode匹配的正则表达式.通过匹配单个字符.,我们可以确保整个字符串都是有效的Unicode.
The u modifier on that regular expression makes it a Unicode matching regex. By matching a single chararchter, ., we're assured that the entire string is valid Unicode.
由于这都是与上下文相关的,因此最好在最可能的时刻(就在向用户展示输出之前)进行任何编码.进行这种练习还可以很容易地看到您错过的任何地方.
Since this is all context-dependent, it's best to do any of this encoding at the latest possible moment—just before presenting output to the user. Being in this practice also makes it easy to see any places you've missed.
