在注释系统中禁用代码
[英]Disable code in comment system
问题描述
I have created a comment system where people comment on a topic. 
我创建了一个评论系统,人们可以在该系统上评论主题。 The comment is stored in a SQL database. 注释存储在SQL数据库中。 Now, to avoid malicious links, or JS/HTML/PHP code to be inserted into the comment which could be executed.. How do I prevent this? 现在,为避免恶意链接,或将JS / HTML / PHP代码插入可以执行的注释中。如何防止这种情况发生? Suppose the comment is a JS code.. Like 假设注释是一个JS代码。
<script> document.DoSomething()</script>
How would I prevent this? 我该如何预防? Thanks. 谢谢。
2 个解决方案
解决方案1
0 2014-01-17 06:21:33
You need to scrub and/or encode user input that you're displaying. 您需要清理和/或编码要显示的用户输入。
Here is an example of how server emitting contents encodes it (this is Microsoft .NET) 这是服务器发出内容的方式的示例(这是Microsoft .NET)
<script><%=Html.Encode(serverSide.DoSomething())%></script>
Scrubbing is a popular topic. 擦洗是一个受欢迎的话题。 Most times it's better to use something that is ready, as the variations of such attacks are so many, that starting from scrach is usually not going to give you the coverage you'd get from existing libs. 在大多数情况下,最好使用已准备好的东西,因为此类攻击的种类很多,以至于从头开始通常不会为您提供从现有库中获得的覆盖范围。 Look at this one for example: https://code.google.com/p/google-caja/ 看看这个例子: https : //code.google.com/p/google-caja/
解决方案2
0 2014-01-17 06:23:43
Match the comment with a regex like so: 将评论与正则表达式匹配,如下所示:
comment.match(/<script>.+</script>/)
If there is a match, then don't allow it. 如果有匹配项,则不允许它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.