XSS:使用PHP的json_encode创建javascript对象
[英]XSS : Creating a javascript object using PHP's json_encode
问题描述
Is this 100% safe against XSS? 
这是100%安全的XSS吗? If not, can you please provide example bad string text showing me why it is not. 如果不是,您能否提供示例错误的字符串文本,向我显示为什么不这样。
<html>
<body>
<script>
<?php
$bad = "some bad string. please give example text that makes the below unsafe";
echo "var a = ".json_encode($bad).";";
echo "var b = ".json_encode(array($bad)).";";
?>
</script>
</body>
</html>
Thanks.
2 个解决方案
解决方案1
4 已采纳 2011-05-06 15:26:27
In short, it's safe. 简而言之,很安全。 Possible XSS would require escaping from the javascript string ( " ) or script ( </script> ). Both strings are properly escaped: 可能的XSS需要转义javascript字符串( " )或脚本( </script> )。两个字符串均已正确转义:
" becomes \"
</script> becomes <\/script>
This is the the part about direct injection. 这是有关直接注射的部分。 Your application should take in account that some array elements may be missing. 您的应用程序应考虑到某些数组元素可能会丢失。 Another possibility is that an array element is not the type you would expect (eg, an array instead of a string) 另一种可能性是数组元素不是您期望的类型(例如,数组而不是字符串)
解决方案2
2 2016-10-25 02:57:09
Definitely not!!! 当然不!!!
Don't use json_encode to escape javascript. 不要使用json_encode逃脱JavaScript。
for example: 例如:
json_encode <img src=# onerror=alert(1)> , this will escape nothing and output to brower. json_encode <img src=# onerror=alert(1)> ,这将什么也不会逸出并输出给浏览器。 This is a xss. 这是一个xss。
use htmlspecialchars instead. 请改用htmlspecialchars 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.