我什至需要`htmlspecialchars()`作为textarea的值吗 [英] do I even need `htmlspecialchars()` for textarea's value
问题描述
我有staff.php
页面,其中包含员工的姓名、职位和详细信息.当用户需要编辑员工信息时,他们将被发送到edit.php
页面.edit.php
页面在 text field
上显示名称和标题,在 textarea
I have staff.php
page which contains staff's name,position and detail.When user would need to edit staff info,they would be send to edit.php
page.edit.php
page show name and title on text field
and detail on a textarea
我的问题是,我什至需要 edit.php
页面中的 htmlspecialchars
.我没有向用户页面打印任何内容,仅在该字段上打印.但我是在打印给用户之前,在 staff.php
上使用 htmlspecialchars
.
My question is,do I even need htmlspecialchars
in edit.php
page.I am not printing anything to users page,only on that fields.But I'm using htmlspecialchars
on staff.php
before printing to user.
是否仍然对XSS Attack
开放?
代码
部分来自 staff.php
$staff.="<div id='sob'>".htmlspecialchars($title)."<br>".htmlspecialchars($sub_title)."<div><a href='edit.php?pid=".htmlspecialchars($pro_id)."'><input type='submit' id='editx' name='editx' value='Edit'></a></div><div id=''><br>".htmlspecialchars($detail)."</div><hr id='h'></div>";
部分来自 edit.php
if(isset($_GET["pid"])){
$name4=$title; //
$sub_title4=$sub_title; //using prepared statement
$detail4=$detail; //
}
HTML part at edit.php
<input type='text' id='staff_name' name='staff_name' value="<?php echo $name4;?>" required>
</br><input type='text' id='staff_pos' name='staff_pos' value="<?php echo $sub_title4;?>" required>
</br><textarea id='staff_detail' name='staff_detail' cols='30' rows='6' required><?php echo $detail4;?></textarea></br>
推荐答案
当变量要显示在屏幕上时,对 XSS 的保护不仅仅是必要的;每当使用用户生成的值构建 HTML 标记时,无论上下文如何,都需要它.
Protection against XSS isn't just necessary when variables are to be displayed on the screen; it is needed whenever user-generated values are used to build HTML markup, whatever the context.
必须对放置在 中的 PHP 变量调用
htmlspecialchars()
.考虑以下几点:
It is necessary to call htmlspecialchars()
on a PHP variable placed inside a <textarea>
. Consider the following:
<?php
// Unsafe text in the variable
$detail4 = '</textarea><script>alert("XSS!");</script>';
?>
<textarea><?php echo $detail4; ?></textarea>
这会导致一个关闭的 </textarea>
后跟一个不安全的注入脚本(以及另一个关闭的 </textarea>
浏览器可能会忽略).
This results in a closed </textarea>
followed by an unsafe injected script (and another closing </textarea>
the browser will probably ignore).
还需要对放置在value=""
属性中的变量调用htmlspecialchars()
,选择合适的常量以确保变量中的内部引号正确编码以防止属性过早以引号结束.如果您一直在属性上使用双引号,您可以接受默认的 ENT_COMPAT
,但如果您有时用单引号引用属性,请使用 ENT_QUOTE
.
It is also necessary to call htmlspecialchars()
on the variables placed into value=""
attributes, choosing the appropriate constant to ensure internal quotes in the variables are correctly encoded to prevent the attribute being prematurely ended with a quote. If you consistently use double quotes on the attributes, you can accept the default of ENT_COMPAT
, but if you sometimes quote attributes with single quotes, use ENT_QUOTE
.
<input type='text' name='staff_pos' value="<?php echo htmlspecialchars($sub_title4, ENT_QUOTES);?>" ...>
这篇关于我什至需要`htmlspecialchars()`作为textarea的值吗的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!