HTML净化器 - 净化什么？ [英] HTML Purifier - what to purify?

问题描述

我使用HTML Purifier来保护我的应用程序免受XSS攻击。目前，我正在净化来自所见即所得编辑器的内容，因为这是允许用户使用XHTML标记的唯一地方。

我的问题是，我是否也应该使用HTML Purifier和密码登录认证系统（或注册页面的输入字段，如电子邮件，姓名，地址等）？是否有XSS攻击的可能性？

解决方案

您应该净化任何可能会在页面上显示的内容。因为对于XSS攻击，黑客会放入< script> 标记或其他可链接到其他网站的恶意标记。

<密码和电子邮件应该没问题。密码永远不会显示，电子邮件应该有他们自己的验证器，以确保它们是在正确的格式。

最后，请务必记住内容的htmlentities（） 。

噢，看看 filter_var 以及。非常好的过滤变量的方式。

I am using HTML Purifier to protect my application from XSS attacks. Currently I am purifying content from WYSIWYG editors because that is the only place where users are allowed to use XHTML markup.

My question is, should I use HTML Purifier also on username and password in a login authentication system (or on input fields of sign up page such as email, name, address etc)? Is there a chance of XSS attack there?

解决方案

You should Purify anything that will ever possibly be displayed on a page. Because with XSS attacks, hackers put in <script> tags or other malicious tags that can link to other sites.

Passwords and emails should be fine. Passwords should never be shown and emails should have their own validator to make sure that they are in the proper format.

Finally, always remember to put in htmlentities() on content.

Oh .. and look at filter_var aswell. Very nice way of filtering variables.

这篇关于HTML净化器 - 净化什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！