允许HTML输入的数据过滤,卫生和验证
[英]Data filtering, sanitation, and validation for HTML-allowed inputs
问题描述
I've found a lot of info on sanitizing, filtering, and validating forms when it comes to simple inputs like email, phone numbers, addresses, etc. 
当涉及到简单的输入(例如电子邮件,电话号码,地址等)时,我发现了很多有关清理,过滤和验证表单的信息。
But the security of your app is only as strong as your weakest link. 但是,应用程序的安全性仅与最弱的链接一样强。 What if your form also includes a large textarea, lets say, that you want your users to be able to write flexible, html readable entries? 假设您的表单还包含一个较大的文本区域,该怎么办?您希望用户能够编写灵活的,HTML可读的条目?
For example this textarea on StackOverflow allows you to format text, include links, pictures, etc when you are asking a question or submitting an answer. 例如,当您提出问题或提交答案时,StackOverflow上的此textarea允许您设置文本格式,包括链接,图片等格式。 Stack overflow takes user's inputs, put it into their database, then display it on the web: pictures, links, and all. 堆栈溢出接收用户的输入,将其输入他们的数据库,然后将其显示在Web上:图片,链接和所有内容。 Which means they have to allow html tags, special characters, and the like. 这意味着他们必须允许html标签,特殊字符等。 How do they, and how can I, make sure there is no malicious content being put into my database? 他们如何以及如何确保我的数据库中没有恶意内容?
To get specific, here are the security implementations I've added to my web app: 具体来说,以下是我添加到Web应用程序中的安全性实现:
- PDO Prepared Statements when working with dynamic database inputs 使用动态数据库输入时的PDO准备语句
- Limited my production site's database access to a user with less privileges (so if someone does gain control, they'll only be able to update, insert, or select) 将我的生产站点的数据库访问权限限制为具有较少特权的用户(因此,如果有人获得控制权,则他们只能更新,插入或选择)
- Client-side validation (pretty much useless in this context, it's just for users' convenience) 客户端验证(在这种情况下几乎没有用,只是为了方便用户)
- Using POST, not GET 使用POST,而不是GET
- Turned error_display off, so malicious users can't probe 关闭了error_display,因此恶意用户无法探测
I know the best practice is to filter and validate the POST[] using server-side validation, but doing that will limit what my users can submit. 我知道最佳实践是使用服务器端验证来过滤和验证POST [],但是这样做会限制我的用户可以提交的内容。 For example, filtering out all html tags will disable links, images, and formatting. 例如,过滤掉所有html标签将禁用链接,图像和格式。 Same problem with output filtering with htmlentities. 使用htmlentities进行输出过滤的相同问题。 Maybe there is a more nuanced way to do it? 也许有更细微的方法来做到这一点?
What else can I do to secure this? 我还能做些什么来确保这一点?
I should add: There will be a moderation process before any output is displayed.
1 个解决方案
解决方案1
1 已采纳 2013-12-18 07:14:18
PDO Prepared Statements when working with dynamic database inputs
right 对
Limited my production site's database access to a user with less privileges (so if someone does gain control, they'll only be able to update, insert, or select)
useless 无用
Client-side validation (pretty much useless in this context, it's just for users' convenience)
useless 无用
Using POST, not GET
irrelevant 不相干
Turned error_display off, so malicious users can't probe
right 对
There is no item in your list regarding HTML issues. 您的列表中没有关于HTML问题的项目。 If you want to allow formatted input, you have to use either BB-code or HTML purifier or something of the sort. 如果要允许格式化输入,则必须使用BB代码或HTML净化器或类似的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.