来自XSS的$ _SERVER ['QUERY_STRING']安全吗？ [英] Is $_SERVER['QUERY_STRING'] safe from XSS?

问题描述

我需要构建一个表单，其动作会将您带回到完全相同的页面 - 包含GET参数。我想我可以说一些效果：

I need to construct a form who's action takes you back to the exact same page - GET parameters included. I'm thinking I can say something to the effect of:

echo '<form action="'.$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'].
     '" method="post">'

这似乎有效，并且测试通过一些XSS攻击似乎是成功的，因为QUERY_STRING的输出似乎是URL编码的。但是 PHP文档没有提到这一点，所以我是我不相信我会相信这种行为。

This seems to work, and testing passing a couple XSS attacks seems to be successful, as the output of QUERY_STRING seems to be URL encoded. However the PHP documentation does not mention this, so I'm not confident I can trust this behavior.

以我上面的方式使用QUERY_STRING是否安全？如果没有，我该怎么办呢？对文档的引用将不胜感激。

Is it safe to use QUERY_STRING the way I am above? If not, what can I do instead? References to documentation would be appreciated.

更新切换到SCRIPT_NAME，只是混淆了哪一个是好的，这对我来说很糟糕，谢谢抓住我 action =确实很好地解决了我的具体问题，但我仍然很好奇QUERY_STRING是否经过预处理，因此可以安全使用或不使用，因为还有其他时间你可能想重复使用查询字符串，假设这样做是安全的。

Update switched to SCRIPT_NAME, just mixed up which one was ok and which was bad in my head, thanks for catching me. action="" does resolve my specific issue nicely, but I'm still curious if QUERY_STRING is pre-processed so it is safe to use or not, since there are other times you might want to re-use the query string, assuming it's safe to do so.

推荐答案

你永远不要相信$ _SERVER [ 'QUERY_STRING']因为它可用于XSS攻击。

You should never trust $_SERVER['QUERY_STRING'] as it can be used for XSS attacks.

在您的情况下，可以利用此漏洞利用：

In your case, one could exploit the vulnerability with:

http://your.server.com/your_script.php?"><script>alert(111);</script>

请注意，上面的代码适用于IE; FireFox和Chrome会在将查询字符串发送到Web服务器之前对其进行有效编码。

Note that the code above works on IE; FireFox and Chrome efficiently encode the query string before sending it to the web server.

我总是用 htmlentities <包装它/ a>（介意double_encode参数）与每个用户输入一样。

I would always wrap it with htmlentities (mind the double_encode parameter) as with every user input.

祝你好运！

这篇关于来自XSS的$ _SERVER ['QUERY_STRING']安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！