为什么`NAME`属性视为不安全? [英] Why is the `NAME` attribute considered unsafe?
问题描述
我通过用户生成的HTML到数据库中,我试图以确保没有恶意code为通过。其中一个,我采取的步骤是通过梨的 HTML_Safe 类运行通过code除去脆弱的标记。但是,有一点我注意到的是,提交元素的名称属性被删除。果然,当你看看源$ C $ C,名称是在默认情况下被列入黑名单的几个属性之一:
I'm passing user-generated HTML into a database and I'm trying to make sure that no malicious code is passed through. One of the steps I'm taking is to run passed code through pear's HTML_Safe class to remove vulnerable markup. However, one thing I've noticed is that the name attribute of submitted elements gets removed. Sure enough, when you look at the source code, name is one of the few attributes that's blacklisted by default:
的http://pear.php.net/package/HTML_Safe/docs/latest/HTML_Safe/HTML_Safe.html#var$attributes
什么是在允许用户通过值名称的危险?如何为名称值可用于邪恶目的?有什么想法吗?如果不是这样,我很想修改黑名单。
What's the danger in allowing users to pass values for name? How can values for name be used to nefarious ends? Any thoughts? If not, I'm tempted to modify the blacklist.
推荐答案
在HTML表单元素,在名称属性用作标识符。因此,如果允许名称那么有人可能能够覆盖的您的HTML 名称属性(您可能已经使用)用自己的之一。第一个匹配找到名称通常是由Javascript或服务器端处理。
In HTML form elements, the name attribute is used as an identifier. Therefore, if you allow name then someone may be able to override your HTML name attributes (that you may have used) with one of their own. The first matching name found is often the one used by either Javascript or server side processing.
这将然后让别人利用你可能会使用引用的第一个匹配任何可能的JavaScript或服务器端表单处理名称属性中找到的。
This would then allow someone to exploit any possible Javascript or server side form processing you may be using that references the first matching name attribute found.
这不仅是形成能够使用元素名称,但他们将是最安全的。
It is not just form elements that can use name, but they would be the least safe ones.
另外一个覆盖问题是,如果你在你的任何函数中使用的Javascript getElementsByName (如下指出的),你可以与不做的函数结束了什么你期望的那样。
Another override issue is if you are using Javascripts getElementsByName in any of your functions (as pointed out below), you could end up with a function that does not do what you expect.
编辑:一些修正和有关 getElementsByName 的说明问题(如下指出)
Some corrections and a note about getElementsByName issue (as pointed out below).
这篇关于为什么`NAME`属性视为不安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
