[英]PHP Prevent xss
Is htmlentities
best solution to prevent XSS in PHP? htmlentities
是防止 PHP 中 XSS 的最佳解决方案吗? Also I would like to allow simple tags like b
, i
, a
and img
.此外,我想允许简单的标签,如b
、 i
、 a
和img
。 What would be the best solution to implement this?实现这一点的最佳解决方案是什么? I did consider bbcode but found out if not implemented properly I too will have XSS problem.我确实考虑过 bbcode 但发现如果没有正确实施我也会有 XSS 问题。 What should I do?我该怎么办? Any good third-party library is welcome.欢迎任何好的第三方库。
EDIT:编辑:
I just tried HTML Purifier and it failed on this case.我刚刚尝试了 HTML Purifier,但在这种情况下失败了。 Just see this example 看看这个例子
For that, I would go for the HTML Purifier , and yes you can specify your whitelist tags there too.为此,我会选择HTML Purifier ,是的,您也可以在那里指定白名单标签。
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier 是一个用 PHP 编写的符合标准的 HTML 过滤器库。 HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, HTML Purifier 不仅会通过彻底的审计删除所有恶意代码(也称为 XSS),
secure yet permissive whitelist , it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.安全而宽松的白名单,它还将确保您的文档符合标准,只有全面了解 W3C 的规范才能实现这一点。
I know there are certain functions in PHP language for that but I would prefer a dedicated solution instead.我知道 PHP语言中有某些功能,但我更喜欢专用的解决方案。
have a look at custom markup languages like markdown (used by stackoverflow), reStructuredText , textile or similar lightweight markup languages查看自定义标记语言,如markdown (由 stackoverflow 使用)、 reStructuredText 、 textile或类似的轻量级标记语言
Try using this code (it allows for <i>
, <b>
and <del>
):尝试使用此代码(它允许<i>
、 <b>
和<del>
):
<?php
$html = '<b>Inline <del>context <div>No block allowed <great going </div></del></b>';
function escapeEveryOther(&$v, $k) {
if($k % 2 == 0) {
$v = htmlspecialchars($v);
}
}
$parts = preg_split('`(</?(?:b|i|del)>)`is', $html, -1, PREG_SPLIT_DELIM_CAPTURE);
array_walk($parts, 'escapeEveryOther');
$html = implode('', $parts);
and then pass $html
through HTMLPurifier to fix non matching tag openings and closings.然后通过HTMLPurifier传递$html
来修复不匹配的标签打开和关闭。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.