XSS:使用 PHP 的 json_encode 创建一个 javascript 对象 [英] XSS : Creating a javascript object using PHP's json_encode

问题描述

这对 XSS 是否 100% 安全?如果不是，请提供示例错误字符串文本，向我说明为什么不是.

Is this 100% safe against XSS? If not, can you please provide example bad string text showing me why it is not.

<html>
  <body>
    <script>
      <?php
        $bad = "some bad string.  please give example text that makes the below unsafe";
        echo "var a = ".json_encode($bad).";";
        echo "var b = ".json_encode(array($bad)).";";
      ?>
    </script>
  </body>
</html>

Thanks.

推荐答案

简而言之，它是安全的.可能的 XSS 需要从 javascript 字符串 (") 或脚本 (</script>) 中转义.两个字符串都已正确转义:

In short, it's safe. Possible XSS would require escaping from the javascript string (") or script (</script>). Both strings are properly escaped:

"          becomes  \"
</script>  becomes  <\/script>

这是关于直喷的部分.您的应用程序应该考虑到某些数组元素可能会丢失.另一种可能性是数组元素不是您期望的类型(例如，数组而不是字符串)

This is the the part about direct injection. Your application should take in account that some array elements may be missing. Another possibility is that an array element is not the type you would expect (e.g., an array instead of a string)

这篇关于XSS:使用 PHP 的 json_encode 创建一个 javascript 对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！