禁用javascript条目到表单中 [英] Disable javascript entry into form
问题描述
我正在为我的网页创建一个HTML编辑器。目前,我只希望编辑器允许输入HTML和CSS元素,而不是 Javascript(或者Jquery)。
我试图找到禁止使用< script> 或< script type =text / javascript> < / script> 使用PHP。然而,目前的方式输出一个混乱的结果!
$ content_in_before = str_replace('< script','',$ content_in_before) ;
$ content_in_before = str_replace('script>','',$ content_in_before);
它的编码也不是很好!
是否有更强大的编码方式,阻止所有类型的Javascript被输入到这个表单中? (虽然仍然允许使用CSS和HTML)?
在此先感谢!
我建议使用清理库,例如 HTML Purifier ,因为只需剥离< ;脚本> 标记不足以阻止XSS攻击,因为JS可以使用 onLoad ,等属性自动执行。 onMouseOver , onUnload 等。
要删除标签并允许某些标签,可以使用PHP的 strip_tags() 函数,但它不会' t删除属性,因此我建议使用HTML清理库。如果您可以运行它,也许最好的选择之一是Google的 Caja 但它可以在Google的AppEngine上托管。
此外,简单的正则表达式解决方案并不适用于共享主机环境总是可靠的,因为即使格式不正确的标签仍然可以被解析。例如,< script> 不会被正常脚本标记的简单正则表达式检测所捕获,除非它在标记名称后面查找空格。可以检查这个,但是使用已建立的库会节省您的时间,并且会给您额外的经过测试的库的奖励。
示例:
带空格的脚本标签产生警报
I'm creating a "HTML editor" for a webpage of mine. At the moment, I only want the editor to allow entry of HTML and CSS elements and not Javascript (or Jquery for that matter).
I'm trying to find a way that disables the use of <script> or <script type="text/javascript"> </script> using PHP. However the current way outputs a messy result!
$content_in_before = str_replace('<script','',$content_in_before);
$content_in_before = str_replace('script>','',$content_in_before);
It's also not very well coded!
Is there a more bulletproof way of coding this, stopping all type of Javascript from being entered into this form? (While still allowing CSS and HTML)?
Thanks in advance!
I'd recommend using a sanitization library, like HTML Purifier, since just stripping <script> tags isn't enough to prevent XSS attacks, since JS can be automatically executed using attributes like onLoad, onMouseOver, onUnload, etc.
To remove tags, and allow some, you can use PHP's strip_tags() function, but it doesn't strip the attributes, hence my recommendation for a HTML sanitization library. If you're able to run it, perhaps one of the best choices is Google's Caja library, albeit it doesn't work in shared hosting environments since it's written in Java, but it can be hosted on Google's AppEngine.
Also, simple regex solutions aren't always reliable, since even malformed tags can still be parsed. For example, <script > wouldn't be caught by simple regex detection of normal script tags unless it's looking for spaces after the tag name. It's possible to check for this, but using an established library would save you time, and would give you the added bonus of a battle-tested library.
Example: Script Tags with Spaces producing an alert
这篇关于禁用javascript条目到表单中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
