PHP_SELF和SCRIPT_NAME - XSS攻击版
[英]PHP_SELF and SCRIPT_NAME - XSS attacks edition
问题描述
PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER['PHP_SELF'] is included, but what about SCRIPT_NAME ? 
当包含echo $_SERVER['PHP_SELF']等代码时, PHP_SELF打开一个XSS攻击页面,但是SCRIPT_NAME呢? Since it does not include path info, is this safe to use? 由于它不包含路径信息,这可以安全使用吗? I know you can use htmlentities and other similar functions to sanitize but I'd rather avoid the extra function call. 我知道你可以使用htmlentities和其他类似的函数进行清理,但我宁愿避免额外的函数调用。
I'm quite sure that it would be safe to use but I'd like the reassurance of the SO community :) 我很确定使用它会安全,但我想要SO社区的保证:)
1 个解决方案
解决方案1
2 已采纳 2011-08-05 00:53:59
As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc. 作为良好的做法,你应该始终防止来自$ _SERVER,$ _GET,$ _POST等的任何变量。
$str = filter_var($input, FILTER_SANITIZE_STRING);
A simple way to sanitize a string, or you can use htmlentities. 清理字符串的简单方法,或者您可以使用htmlentities。 I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST. 我在从$ _SERVER,$ _GET和$ _POST返回任何变量时创建了一个类。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.