urlencode() 是否可以防止 XSS [英] Does urlencode() protect against XSS

问题描述

$address 和 $cityState 是用户提供的，存储在数据库中，可供其他人查看，如下所示.是否存在 XSS 的风险?htmlspecialchars() 也应该用在上面吗?

$address and $cityState is user provided, stored in a DB, and available for others to view as shown below. Is there risk of XSS? Should htmlspecialchars() also be used on it?

<img src="http://maps.google.com/maps/api/staticmap?markers=color:blue|<?php echo(urlencode($address.' '.$cityState));?>&amp;zoom=14&amp;size=400x400&amp;sensor=false" alt="Map" />

推荐答案

没有魔杖 PHP 功能可以保护您免受所有伤害.直到被黑客入侵的那一天，每项保护都是 100% 安全的.您只需要了解您的网站从何处以及如何被黑客入侵，并每天改进您的保护.

There is no magic wand PHP function what will protect you from all. Every protection is 100% safe till day it hacked. You just need to understand from where and how your site can be hacked and improve your protection every day.

您可以从关于 XSS 预防的文章中获得一些有趣的提示.

You can get some interesting tips from article about XSS prevention.

同样来自 php.net urlencode 文档:

<?php
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>

这篇关于urlencode() 是否可以防止 XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！