什么是允许使用HTML输出并避免XSS攻击的函数
[英]What is a function that will allow output with HTML and avoid XSS attacks
问题描述
I am looking for a way or function that will allow me to display data from my mySQL database. 
我正在寻找一种方法或功能,允许我显示mySQL数据库中的数据。 The users are allowed to post articles, that I use mysql_real_escape_string to avoid SQL injections before inserting their post in the DB. 允许用户发布文章,我使用mysql_real_escape_string来避免SQL注入,然后在数据库中插入帖子。
For my testing pursposes I write in a text area my post with tags like <b> <a> <i> <li> . 对于我的测试目的,我在文本区域写了我的帖子,标签为<b> <a> <i> <li> 。 Later I will use an editor like this one here on Stackoverflow to help users with their posts. 稍后我将在Stackoverflow上使用像这样的编辑器来帮助用户发布他们的帖子。
However, I am aware of XSS and just echoing straight from the DB may lead to XSS attacks. 但是,我知道XSS并且直接从数据库回应可能会导致XSS攻击。 So, I choosed for my tests to output the content with htmlentities or htmlspecialchars . 所以,我选择了我的测试来输出htmlentities或htmlspecialchars的内容。 None of them will show me the post correctly with html. 他们都没有用html正确地向我展示帖子。
Therefore, I used strip tags but as far as I know and read, is not safe. 因此,我使用条带标签,但据我所知和阅读,是不安全的。
What is a function that you may use too, that will let me output the data correctly, just like this and prevent XSS? 什么是一个函数,你可能会使用太多,会让我输出的数据正确, 就像 this ,防止XSS?
1 个解决方案
解决方案1
0 已采纳 2011-08-26 21:41:45
If you want to display html correctly you should print plain html as you get it. 如果你想正确显示html,你应该打印纯HTML。 But for avoiding XSS try to remove javascript tags and don't allow load images from external resources. 但是为避免XSS尝试删除javascript标记,并且不允许从外部资源加载图像。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.