XSS攻击预防 [英] XSS attack prevention
问题描述
我正在开发一个用户可以响应博客条目的Web应用程序。这是一个安全问题,因为它们可以发送危险数据,这些数据将呈现给其他用户(并由javascript执行)。
I'm developing a web app where users can response to blog entries. This is a security problem because they can send dangerous data that will be rendered to other users (and executed by javascript).
他们无法格式化他们发送的文本。没有大胆,没有颜色,没有任何东西。只是简单的文字。
我想出了这个正则表达式来解决我的问题:
They can't format the text they send. No "bold", no colors, no nothing. Just simple text. I came up with this regex to solve my problem:
[^\\w\\s.?!()]
所以任何不是单词字符的东西(aZ,AZ,0 -9),而不是空白,。,?,!,(或)将被替换为空字符串。比每个quatation标记都将替换为:& quot。
So anything that is not a word character (a-Z, A-Z, 0-9), not a whitespace, ".", "?", "!", "(" or ")" will be replaced with an empty string. Than every quatation mark will be replaced with: """.
我检查前端的数据,然后在我的服务器上查看。
I check the data on the front end and I check it on my server.
有人可以绕过这个解决方案吗?
Is there any way somebody could bypass this "solution"?
我想知道StackOverflow是如何做到这一点的?这里有很多格式,所以他们必须用它做好工作。
I'm wondering how StackOverflow does this thing? There are a lot of formatting here so they must do a good work with it.
推荐答案
如果你只想要简单的文字不要担心过滤特定的html标签。您希望与PHP的 htmlspecialchars()保持一致。使用它的一个好方法是 print htmlspecialchars($ var,ENT_QUOTES);
此函数将执行以下编码:
If you just want simple text don't worry about filtering specific html tags. You want the equvilent to PHP's htmlspecialchars(). A good way to use this is print htmlspecialchars($var,ENT_QUOTES);
This function will perform the following encodings:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
这解决了XSS的问题最低级别,你不需要一些你不理解的复杂库/正则表达式(并且在所有复杂性都是安全的敌人之后可能是不安全的)。
This is solving the problem of XSS at the lowest level, and you don't need some complex library/regex that you don't understand (and is probably insecure after all complexity is the enemy of security).
Make sure to TEST YOUR XSS FILTER by running a free xss scanner.
这篇关于XSS攻击预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!