问题:
为了避免UTF8编码的页面受到XSS攻击,最好使用哪些safe1()、safe2()、safe3()和safe4()函数?在所有浏览器中(特别是IE6)是否也安全?
<body><?php echo safe1($xss)?></body>
<body id="<?php echo safe2($xss)?>"></body>
<script type="text/javascript">
var a = "<?php echo safe3($xss)?>";
</script>
<style type="text/css">
.myclass {width:<?php echo safe4($xss)?>}
</style>
许多人说,最好的方法是:
// safe1 & safe2
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
// But how would you compare the above to:
// https://github.com/shadowhand/purifier
// OR http://kohanaframework.org/3.0/guide/api/Security#xss_clean
// OR is there an even better if not perfect solution?
.
// safe3
$s = mb_convert_encoding($s, "UTF-8", "UTF-8");
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
// How would you compare this to using using mysql_real_escape_string($s)?
// (Yes, I know this is a DB function)
// Some other people also recommend calling json_encode() before passing to htmlentities
// What's the best solution?
关于PHP和XSS有很多帖子。 大部分只是说“使用HTMLPurifier”或“使用htmlspecialchars”,或者是错误的。 其他人建议使用OWASP,但速度极慢。 以下是我找到的一些好文章:
Do htmlspecialchars和mysql_real_escape_string可以保护我的PHP代码免受注入攻击吗?
var a = "<?php echo safe3($xss)?>";
中,你还需要剥离所有换行符。 - zerkms