这样做安全吗? PHP的json_encode和javascript
[英]Is it safe to do this? PHP's json_encode and javascript
问题描述
I've been searching around for security concerns about using PHP json_encode inside javascript context but I'm not exactly satisfied with the results 
我一直在寻找有关在javascript上下文中使用PHP json_encode的安全性问题,但我对结果并不完全满意
I got a lot of warnings about doing this but they always assume that I was going to inject data from the json_encode object directly to HTML without any type of sanitizing at all 关于这样做我收到了很多警告,但是他们总是假设我要将json_encode对象的数据直接注入HTML而不进行任何类型的清理
So, I want to know if this and only this little snippet presents any security issues (like xss attacks etc) 所以,我想知道这个和这个小片段是否存在任何安全问题(如xss攻击等)
<?php
$obj = isset($_POST['js']) ? json_encode($_POST['js']) : false;
if ($obj === false) $obj = '{}';
?>
<script>var x = <?php echo $obj ?>;</script>
EDIT: 编辑:
Changed the snippet to handle json_encode returning false 更改了片段以处理返回false的json_encode
3 个解决方案
解决方案1
1 已采纳 2017-11-21 08:19:37
With that line of code 有了这行代码
var x = <?php echo $obj ?>;
...the server application echoes back the data that was submitted to it via the "js" key. ...服务器应用程序回送通过“js”键提交给它的数据。 It will be client that sent it that will receive it, so if in some way it is malicious, it will be that same client dealing with the consequences. 它将是发送它的客户端将接收它,因此如果在某种程度上它是恶意的,那将是同一个客户端处理后果。
The actual sending to the server is in fact the irrelevant part of the chain: if one has the data to submit, one can also assign it to the variable x directly without the server's interference (eg through browser's dev tools). 实际发送到服务器实际上是链中不相关的部分:如果有人要提交数据,也可以直接将其分配给变量x而不受服务器的干扰(例如通过浏览器的开发工具)。
It would be a different story if in PHP you would use the data to manipulate a server database, call a service, or otherwise change the application's state, and you would not first validate that data. 如果在PHP中您将使用数据来操作服务器数据库,调用服务或以其他方式更改应用程序的状态,那么这将是一个不同的故事,您将不会首先验证该数据。
As to the use of json_encode : if indeed you verify that the argument is valid JSON (by checking that the return value is not false ), it will produce a valid JavaScript object literal. 至于json_encode的使用:如果确实你验证参数是有效的JSON(通过检查返回值不是false ),它将产生一个有效的JavaScript对象文字。 The known cases of incompatibility (characters U+2028 and U+2029 ) will not occur, as by default json_encode escapes these characters. 不会出现已知的不兼容情况(字符U+2028和U+2029 ),因为默认情况下json_encode转义这些字符。
解决方案2
-1 2017-11-21 05:51:32
It is correct as per coding. 根据编码它是正确的。 However you have to validate the variable x should not be empty or the posted value. 但是,您必须验证变量x不应为空或已发布的值。
<script>var x = "<?php if(isset($_POST['js']))
{
echo json_encode($_POST["js"]);
}";
</script>
解决方案3
-1 2017-11-21 05:52:11
Sometimes json_encode returns false, if return it that js expression will broke. 有时json_encode返回false,如果返回js表达式就会破坏。 this will works safer. 这将更安全。
<script>var x = JSON.parse(<?php echo (json_encode($_POST["js"]) ? json_encode($_POST["js"]) : '{}'));</script>
if json_encode returns false, var x will get just empty object. 如果json_encode返回false,则var x将只获得空对象。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.