CakePhp:避免XSS攻击,保持蛋糕的使用方便 [英] CakePhp: Avoid XSS attack keeping the ease of use of cake
问题描述
我喜欢cakePhp的一件事是,我们可以很容易地有一个生成的编辑表单,让我们保存。
例如。 in a controller:
function add(){
if(!empty($ this-> data)) {
$ this-> Post-> create();
if($ this-> Post-> save($ this-> data)){
$ this-> Session-> setFlash(__(' ,true));
$ this-> redirect(array('action'=>'index'));
} else {
$ this-> Session-> setFlash(__('无法保存帖子,请重试。
}
}
$ users = $ this-> Post-> User-> find('list');
$ this-> set(compact('users'));
}
问题是我们的字段容易受到XSS攻击)。我知道Sanitize :: Clean的方式,但我有一个问题:这意味着我们必须在所有字段之前,保存对象这样做。如果一旦我们添加一个字段呢?我们应该继续所有的代码来检查我们是否清理它?
谢谢!
c> > http://book.cakephp.org/view/1052/beforeSave
所提交的数据在 $ this-> data [$ this-> alias] 数组中可用,
foreach($ this-> data [$ this-> alias] as $ k => $ v){
$ this-> data [$ this-> alias] [$ k] = Sanitize :: clean($ v);
}
通常,您要将用户提交的任何内容存储在数据库中,当你需要显示它,那么你仍然保留原始的HTML内容(如果它确实是一个HTML输入(例如:博客文章))。
如果你想在显示之前清理,你可以使用 afterFind()来做,所以你不必每次都调用Sanitize。
http://book.cakephp。 org / view / 1050 / afterFind
函数afterFind($ results,$ primary){
$ toSanitize = array('field1','field2','field4');
if(!empty($ results [0])){
foreach($ results as $ i => $ res){
foreach($ toSanitize as $ ts){
if(!empty($ res [$ this-> alias] [$ ts]))
$ results [$ i] [$ this-> alias] [$ ts] = Sanitize :: clean ($ res [$ this-> alias] [$ ts]);
}
}
}
} else {
foreach($ toSanitize as $ ts){
if(!empty [$ ts]))
$ results [$ ts] = Sanitize :: clean($ results [$ ts]);
}
}
}
return $ results;
}
One of the things I like with cakePhp, is that we can easily have a generated edited form which allows us to save.
E.g. in a controller:
function add() {
if (!empty($this->data)) {
$this->Post->create();
if ($this->Post->save($this->data)) {
$this->Session->setFlash(__('The post has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The post could not be saved. Please, try again.', true));
}
}
$users = $this->Post->User->find('list');
$this->set(compact('users'));
}
The problem with that is that our fields are vulnerable to XSS (Cross site scripting). I'm aware of the "Sanitize::Clean" way, but I've a problem with that: it's mean that we have to do this on all fields before with save the object. And what if once we add one field? We should go on all our code to check that we sanitize it?? Is there any way to say "Sanitize this object before save it", without specifing any fields?
Thank you!
You can look at beforeSave() method for models
http://book.cakephp.org/view/1052/beforeSave
the data submitted is available in $this->data[$this->alias] array, so you could
foreach($this->data[$this->alias] as $k => $v) {
$this->data[$this->alias][$k] = Sanitize::clean($v);
}
Usually you want to store whatever submitted by the user in the database and only sanitize it when you need to display it, that way you still preserve the original HTML content (if it indeed is intended to be an HTML input (for instance: blog post)).
If you want to Sanitize before displaying, you could do it using afterFind() so you don't have to call Sanitize everytime.
http://book.cakephp.org/view/1050/afterFind
function afterFind($results, $primary) {
$toSanitize = array('field1', 'field2', 'field4');
if(!empty($results[0])) {
foreach($results as $i => $res) {
foreach($toSanitize as $ts) {
if(!empty($res[$this->alias][$ts]))
$results[$i][$this->alias][$ts] = Sanitize::clean($res[$this->alias][$ts]);
}
}
}
} else {
foreach($toSanitize as $ts) {
if(!empty($results[$ts]))
$results[$ts] = Sanitize::clean($results[$ts]);
}
}
}
return $results;
}
这篇关于CakePhp:避免XSS攻击,保持蛋糕的使用方便的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
