防止 XSS 攻击的新方法 [英] New Way To Prevent XSS Attacks
问题描述
我有一个与娱乐相关的网站.所以,我想到了使用一种新的方法来防止 XSS 攻击.我创建了以下单词列表
I have a website related to entertainment. So, I have thought to use a new method to prevent XSS Attack. I have created the following words list
alert(, javascript, <script>,<script,vbscript,<layer>,
<layer,scriptalert,HTTP-EQUIV,mocha:,<object>,<object,
AllowScriptAccess,text/javascript,<link>, <link,<?php, <?import,
我认为因为我的网站与娱乐有关,所以我不希望普通用户(恶意用户除外)在他的评论中使用这种词.所以,我决定从用户提交的字符串中删除所有上述逗号分隔的单词.我需要你的建议.这样做之后我就不需要使用htmlpurifier之类的工具了吗?
I have thought that because my site is related to entertainment, So I do not expect from a normal user (other than malicious user) to use such kind of words in his comment. So, I have decided to remove all the above comma separated words from the user submitted string. I need your advice. Do I no need to use htmlpurifier like tools after doing this?
注意:我没有使用 htmlspecialchars() 因为它还会转换从我的富文本编辑器 (CKEditor) 生成的标签,因此用户格式化将消失.
Note: I am not using htmlspecialchars() because it will also convert the tags generated from my Rich Text Editor (CKEditor), so user formatted will be gone.
推荐答案
使用黑名单是个坏主意,因为它很容易规避.例如,您正在检查并可能删除
