如何防止脚本标记和其他XSS实体插入数据库？ [英] How to prevent script tags and other XSS entities from being inserted into the db?

问题描述

我有一个包含许多文本框的表单。所有文本框都是必填字段。因为这些是文本框，我不能使用特定的
验证，除了长度。但我不想允许用户插入易受xss攻击的标签。

I have a form which contains many text boxes. All the text boxes are required fields. As these are textboxes I can not use specific validation except the length. But i do not want to allow the users to insert tags that are vulnerable to xss attacks.

我知道在ColdFusion我可以使用htmlEditFormat（），encodeForHTML用户数据阻止XSS，但我只是想要
防止这些插入到db.'GlobalScriptProtect'选项也不会增加很多的安全，据我所知。因为我在CF10，所以不能使用getSafeHTML（）

I know in ColdFusion i can use htmlEditFormat(),encodeForHTML() while displaying user data for preventing XSS, But I just want to prevent those from inserting to db.'GlobalScriptProtect' option also does not add much security as per my knowledge. As I am in CF10, so can not use getSafeHTML()

有没有办法防止这些恶意输入插入到CF10中的DB。我可以去客户端敏感吗？

Is there any way to prevent theses malicious inputs from inserting into the DB in CF10. Can I go for client side sensitization ?

推荐答案

CFlib.org上有一个UDF isXss 检查值以确定它是否为xss。我使用这个函数，并建立一个自定义标签来检查每个表单字段和查询字符串字段，然后我提交到数据库。在实现这一点后，我已经能够通过无数的PCI扫描，没有任何xss问题。

There is a UDF on CFlib.org isXss that checks a value to determine if it is xss. I have used this function and built a custom tag to check every form field and query string field before I submit it to the database. After implementing this, I have been able to pass countless PCI scans and have not had any xss issues.

这篇关于如何防止脚本标记和其他XSS实体插入数据库？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！