防止服务器端脚本，XSS [英] Preventing server-side scripting, XSS

问题描述

是否有任何预制脚本可用于 PHP/MySQL 以防止服务器端脚本和 JS 注入?

Are there any pre-made scripts that I can use for PHP / MySQL to prevent server-side scripting and JS injections?

我知道一些典型的函数，例如 htmlentities、特殊字符、字符串替换等.但是是否有一些简单的代码或一个对所有事情都具有故障保护的函数?

I know about the typical functions such as htmlentities, special characters, string replace etc. but is there a simple bit of code or a function that is a failsafe for everything?

任何想法都会很棒.非常感谢:)

Any ideas would be great. Many thanks :)

一些通用的东西，可以去除任何可能有害的东西，即.大于/小于符号、分号、DROP"等词?

Something generic that strips out anything that could be hazardous, ie. greater than / less than signs, semi-colons, words like "DROP", etc?

我基本上只是想将所有内容压缩为字母数字，我猜...?

I basically just want to compress everything to be alphanumeric, I guess...?

推荐答案

永远不要将任何位数据输出到尚未通过 htmlspecialchars() 传递的 HTML 流中，您就大功告成了.规则简单，易于遵循，彻底杜绝任何XSS风险.

Never output any bit of data whatsoever to the HTML stream that has not been passed through htmlspecialchars() and you're done. Simple rule, easy to follow, completely eradicates any XSS risk.

不过，作为一名程序员，你的工作就是这样做.

As a programmer it's your job to do it, though.

你可以定义

function h(s) { return htmlspecialchars(s); }

如果 htmlspecialchars() 太长而无法为每个 PHP 文件写入 100 次.另一方面，完全没有必要使用 htmlentities().

if htmlspecialchars() is too long to write 100 times per PHP file. On the other hand, using htmlentities() is not necessary at all.

重点是:有代码，有数据.如果您将两者混为一谈，就会发生不好的事情.

The key point is: There is code, and there is data. If you intermix the two, bad things ensue.

在 HTML 的情况下，代码是元素、属性名称、实体、注释.数据就是一切.数据必须被转义以避免被误认为是代码.

In the case of HTML, code is elements, attribute names, entities, comments. Data is everything else. Data must be escaped to avoid being mistaken for code.

对于 URL，代码是方案、主机名、路径、查询字符串的机制 (?, &, =, #).数据是查询字符串中的所有内容:参数名称和值.它们必须被转义以避免被误认为是代码.

In case of URLs, code is the scheme, the host name, the path, the mechanism of the query string (?, &, =, #). Data is everything in the query string: parameter names and values. They must be escaped to avoid being mistaken for code.

嵌入在 HTML 中的 URL 必须双重转义(通过 URL 转义 和 HTML 转义)以确保正确分离代码和数据.

URLs embedded in HTML must be doubly escaped (by URL-escaping and HTML-escaping) to ensure proper separation of code and data.

现代浏览器能够将惊人的损坏和不正确的标记解析为有用的东西.但是，不应强调这种能力.某些事情碰巧起作用的事实(例如 中的 URL 没有应用适当的 HTML 转义)并不意味着这样做是好的或正确的.XSS 是一个问题，其根源在于 a) 人们不知道数据/代码分离(即转义")或那些草率的人，以及 b) 人们试图聪明地了解他们不需要转义的数据部分.

Modern browsers are capable of parsing amazingly broken and incorrect markup into something useful. This capability should not be stressed, though. The fact that something happens to work (like URLs in <a href> without proper HTML-escaping applied) does not mean that it's good or correct to do it. XSS is a problem that roots in a) people unaware of data/code separation (i.e. "escaping") or those that are sloppy and b) people that try to be clever about what part of data they don't need to escape.

XSS 很容易避免，只要你确保你不属于 a) 和 b) 类.

XSS is easy enough to avoid if you make sure you don't fall into categories a) and b).

这篇关于防止服务器端脚本，XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！