如何阻止javascript://作为url参数
[英]How to block javascript:// as url parameter
问题描述
I'm currently writing a PHP script for a guestbook in PHP where people can put their name, website and messages in a form, but I want to prevent someone from putting javascript:// in de url box to reduce the risk of XSS, I've tried to solve this with: 
我正在为PHP中的留言簿编写一个PHP脚本,人们可以将它们的名称,网站和消息放在一个表单中,但我想阻止有人将javascript://放在de url框中以降低XSS的风险,我试图解决这个问题:
<?php filter_var($_POST['website'], FILTER_VALIDATE_URL) ?>
But I'm still able of putting javascript:// in de url box how could I prevent this? 但是我仍然可以将javascript://放在de url框中,我怎么能阻止这个?
3 个解决方案
解决方案1
3 2012-03-20 18:45:10
A clean solution would be using PHP's parse_url function and to check if the used protocol is HTTP or in a list of allowed protocols if you're allowing http:// and skype:// for example… 一个干净的解决方案是使用PHP的parse_url函数并检查所使用的协议是HTTP还是允许的协议列表,如果你允许http://和skype://例如......
$url = 'http://username:password@hostname/path?arg=value#anchor';
$tmp = parse_url($url);
if ($tmp['scheme'] === 'http') {
echo 'is http://';
}
if (in_array($tmp['scheme'], array('http', 'skype', 'call')) {
echo 'is allowed protocol';
}
解决方案2
2 2012-03-20 18:44:27
$chk = parse_url($url);
switch ($chk['scheme']) {
case 'http':
case 'https':
break;
default:
// throw error here
break;
}
解决方案3
-1 已采纳 2012-03-20 18:38:52
with preg_replace 与preg_replace
$website = preg_replace("/(javascript:\/\/)/i", "http://", mysql_real_escape_string($_POST['website']));
or with str_ireplace 或者使用str_ireplace
$website = str_ireplace("javascript:", "http:", mysql_real_escape_string($_POST['website']));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.