[英]Extracted data and XSS
I am currently extracting data from a RSS feed (XML). 我目前正在从RSS Feed(XML)中提取数据。 An example would be:
一个例子是:
Bob's dog
Now I have a problem: I would like to protect myself against XSS due to the data coming from a foreign source. 现在我有一个问题:由于数据来自国外,我想保护自己免受XSS的侵害。 Therefore, I go ahead and escape the data, result:
因此,我继续对数据进行转义,结果是:
Bob's dog
Now when I'm trying to print the data I extracted, it prints: 现在,当我尝试打印提取的数据时,它会打印:
Bob's dog
... instead of ... ... 代替 ...
Bob's dog
Question: How can I protect myself against XSS but still print the data by avoiding double-entities? 问:如何保护自己免受XSS的侵害,但仍然通过避免双重实体来打印数据?
First you want to decode the string using either html_entity_decode()
or htmlspecialchars_decode()
. 首先,您想使用
html_entity_decode()
或htmlspecialchars_decode()
解码字符串。 And after that re-encode the string to prevent XSS using: 然后重新编码字符串,以防止使用以下命令进行XSS:
htmlspecialchars($theString, ENT_QUOTES, 'UTF-8'); // or whatever encoding
Although the data already looks like it is encoded we re-encode it either way, because the 3rd party at some point can decide at some point to start using raw data instead. 尽管数据已经看起来像是已编码,但我们还是以任何一种方式对其进行了重新编码,因为第三方可以在某个时候决定开始使用原始数据。
This way you would still be protected. 这样,您仍然会受到保护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.