是否可以“重复地” CodeIgniter中的xss清理数据? [英] is it okay to "repeatedly" xss-clean data in CodeIgniter?
问题描述
以下是Codeigniter中XSS清理数据的方法:
- 设置
global_xss_filteringin config toTRUE - 使用
xss_clean() - 使用
xss_clean作为验证规则 - 将第二个参数设置为
TRUE$ this-> input-> post('something',TRUE) - set
global_xss_filteringin config toTRUE - use
xss_clean() - use
xss_cleanas a validation rule - set the second parameter to
TRUEin$this->input->post('something', TRUE)
是否可以在一条数据上使用全部或多个数据?
例如,如果我仍然使用 $ this-> input-> post('something',TRUE),即使数据已经被清除, global_xss_filtering 和 xss_clean 验证规则?
这不会伤害你,但它绝对是毫无意义的。
最终你会达到一个点其中全局XSS过滤器将是繁琐的。由于它不能被禁用每个控制器没有大量的攻击,并且访问原始的 $ _ REQUEST 数据将是不可能的,你将需要全局禁用它。这将发生在您想要处理单个可信数据或不是HTML输出并且必须保持完整的数据时。
使用它作为表单验证规则是无意义的并且潜在地具有破坏性。想象一下这个网站会是什么样子,如果每次你输入< script> 它被替换为 [removed] 没有办法在将来恢复它。又例如,如果用户在他的密码中使用了一些XSS内容怎么办?
只要在需要的地方使用XSS过滤器:在HTML输出中,可以执行javascript的地方。
The following are ways to XSS-clean data in Codeigniter:
Is it okay to use all or more than one of them on one piece of data?
For example, would it be okay if I still used $this->input->post('something', TRUE) even if the data has already been cleaned by global_xss_filtering and xss_clean validation rule?
It's not going to hurt you, but it is definitely is pointless.
There's a very good chance that eventually, you will reach a point where the global XSS filter is going to be cumbersome. Since it can't be disabled per controller without extensive hacks, and access to the raw $_REQUEST data will be impossible, you will need to disable it globally. This will happen the moment you want to process a single piece of trusted data, or data that isn't HTML output and must remain intact.
Using it as a form validation rule is pointless and potentially destructive as well. Imagine what this site would be like if every time you typed <script> it was replaced with [removed], with no way to revert it in the future. For another example, what if a user users some "XSS" content in his password? Your application will end up altering the input silently.
Just use the XSS filter where you need it: on your HTML output, places where javascript can be executed.
这篇关于是否可以“重复地” CodeIgniter中的xss清理数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
