用PHP防止XSS [英] Preventing XSS with PHP

问题描述

防止XSS真的意味着我每次输出一些用户输入时都必须运行htmlspecialchars()吗?例如，我每次显示用户名吗?看起来真的很乏味.

Does preventing XSS really mean I have to run a htmlspecialchars() EVERY time I output some user input? For example, every time I display the users name? Seems really tedious.

有没有更简单的方法?

推荐答案

如果您担心成为攻击的目标，则应始终确保表单是从您的站点而不是外部来源提交的.您可以使用会话:如果会话中的值表示表单是可以的，否则表单是使用漫游器提交的.

If you're worried about being the target of an attack, then you should always make sure that forms are submitted from your site and not from an external source. You can use sessions: if value in session, form is okay, otherwise, form was submitted using a bot.

如果您担心托管恶意脚本，那么可以，您必须转义所有用户输入的内容，以供公共和管理员使用.

If you're worried about hosting a malicious script, then yes, you'll have to escape all user-entered content for public and admin consumption.

这应该使它更容易:

function h($string) {
    return htmlspecialchars($string);
}

您可能想考虑一种模板语言，它将为您转义变量:

You may want to consider a template language that will escape your variables for you:

例如. http://www.h2o-template.org/

这篇关于用PHP防止XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！