CodeIgniter - 为什么使用xss_clean [英] CodeIgniter - why use xss_clean

问题描述

如果我正在清理我的数据库插入，也逃避HTML我写的 htmlentities（$ text，ENT_COMPAT，'UTF-8'）指向也使用xss_clean过滤输入？

解决方案

xss_clean（）是广泛的，也愚蠢。这个函数的90％没有阻止xss。例如查找警告但不是 document.cookie 。没有黑客要在他们的漏洞中使用 alert ，他们将使用xss劫持cookie或读取CSRF令牌以生成XHR。

但是运行 htmlentities（）或 htmlspecialchars（）与它是冗余的。 xss_clean（）修复问题， htmlentities（$ text，ENT_COMPAT，'UTF-8'）失败如下：

 <？php 
 print< img src ='$ var'> ; 
？> 
  

简单的poc是：

http：//localhost/xss.php？var = http：// domain / some_image.gif '％20onload = alert（/ xss /）

这将添加 onload = 事件处理程序。停止这种形式的xss的方法是 htmlspecialchars（$ var，ENT_QUOTES）; 或在这种情况下 xss_clean（）

p>没有什么是永远100％的万无一失，
课程，但我没有能够得到
任何通过过滤器。

也就是说，XSS是一个输出问题 不一个输入问题。例如，此函数不能考虑变量已经在< script> 标记或事件处理程序中。它也不会停止基于DOM的XSS。您需要考虑如何使用数据才能使用最佳功能。过滤所有输入数据是不良做法。它不仅不安全，而且破坏了可能使比较困难的数据。

if I'm sanitizing my DB inserts, and also escaping the HTML I write with htmlentities($text, ENT_COMPAT, 'UTF-8') - is there any point to also filtering the inputs with xss_clean? What other benefits does it give?

解决方案

xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent xss. Such as looking for the word alert but not document.cookie. No hacker is going to use alert in their exploit, they are going to hijack the cookie with xss or read a CSRF token to make an XHR.

However running htmlentities() or htmlspecialchars() with it is redundant. A case where xss_clean() fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8') fails is the following:

<?php
print "<img src='$var'>";
?>

A simple poc is:

http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)

This will add the onload= event handler to the image tag. A method of stoppipng this form of xss is htmlspecialchars($var,ENT_QUOTES); or in this case xss_clean() will also prevent this.

However, quoting from the xss_clean() documentation:

Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

That being said, XSS is an output problem not an input problem. For instance this function cannot take into account that the variable is already within a <script> tag or event handler. It also doesn't stop DOM Based XSS. You need to take into consideration how you are using the data in order to use the best function. Filtering all data on input is a bad practice. Not only is it insecure but it also corrupts data which can make comparisons difficult.

这篇关于CodeIgniter - 为什么使用xss_clean的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！