转义以防止XSS的快捷方式
[英]shortcut to escaping to prevent XSS
问题描述
I've just discovered that my website (html/php) is vulnerable to XSS attacks. 
我刚刚发现我的网站(html / php)容易受到XSS攻击。
Is there any way to sanitize my data besides manually adding htmlspecialchars to each individual variable that I send to the webpage (and proably missing a few thereby leaving it still open to attack)? 除了手动将htmlspecialchars手动添加到我发送到网页的每个变量中之外,还有什么方法可以清理我的数据(可能会丢失一些,从而仍然容易受到攻击)?
1 个解决方案
解决方案1
2 已采纳 2015-03-11 08:25:15
No, there is no shortcut. 不,没有捷径。 Data escaping always needs to happen on a case by case basis; 数据转义始终需要根据具体情况进行; not only with regards to HTML, but to any other textual format as well (SQL, JSON, CSV, whathaveyou). 不仅涉及HTML,而且涉及其他任何文本格式(SQL,JSON,CSV等)。 The "trick" is use tools which do not require you to think about this much and hence may allow you to "miss" something. “技巧”是使用工具,不需要您考虑太多,因此可以让您“错过”某些东西。 If you're just echo ing strings into other strings, you're working at the bare metal level and you do need a lot of conscious effort to escape everything. 如果您只是将字符串echo为其他字符串,则说明您是在裸机级别上工作,并且确实需要付出很多自觉的努力才能逃避一切。 The generally accepted alternative is to use a templating language which implicitly escapes everything. 通常公认的替代方法是使用一种模板语言,该模板语言会隐式地转义所有内容。
For example, Twig : 例如, Twig :
The PHP language is verbose and becomes ridiculously verbose when it comes to output escaping:
<?php echo $var ?> <?php echo htmlspecialchars($var, ENT_QUOTES, 'UTF-8') ?>In comparison, Twig has a very concise syntax, which make templates more readable:
{{ var }} {{ var|escape }} {{ var|e }} {# shortcut to escape a variable #}To be on the safe side, you can enable automatic output escaping globally or for a block of code:
{% autoescape true %} {{ var }} {{ var|raw }} {# var won't be escaped #} {{ var|escape }} {# var won't be doubled-escaped #} {% endautoescape %}
This still lets you shoot yourself in the foot, but is a lot better. 这仍然可以让您用脚射击,但效果要好得多。
One step up still is PHPTAL : 还有一个步骤是PHPTAL :
<div class="item" tal:repeat="value values"> <div class="title"> <span tal:condition="value/hasDate" tal:replace="value/getDate"/> <a tal:attributes="href value/getUrl" tal:content="value/getTitle"/> </div> <div id="content" tal:content="value/getContent"/> </div>
It requires you to write valid HTML simply to compile the template, and the template engine is fully aware of HTML-syntax and will process all user data at the level of a DOM, instead of a string soup. 它要求您仅编写有效的HTML即可编译模板,并且模板引擎完全了解HTML语法,并将以DOM级别而不是字符串形式处理所有用户数据。 This relegates HTML to a pure serialisation format (which it should be anyway) which is produced by a serialiser whose only job it is to turn an object oriented data structure into text. 这将HTML降级为纯粹的序列化格式(无论如何应为纯序列化),该格式由序列化程序生成,序列化程序唯一的工作就是将面向对象的数据结构转换为文本。 There's no way to mess up that syntax through bad escaping. 无法通过错误的转义来弄乱该语法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.