[英]PHP htmlentities not enough to stop hackers injecting html from form
I have a form with a text box that posts data to a php file that uses the function "htmlentities" to make it safe to email to the website owner. 我有一个带有文本框的表单,该文本框将数据发布到使用“htmlentities”功能的php文件,以便通过电子邮件发送给网站所有者。
The problem is that someone managed to get a hyperlink in the text and htmlentities() does not remove it. 问题是有人设法在文本中获得超链接,而htmlentities()不会删除它。
This is my textbox html: 这是我的文本框html:
<input name="usertext" type="text" />
This is my PHP code that receives the post data (I left the email code out because that's not the problem. I changed it to just echo the received data so I could try to replicate what the hacker did. If I know how he did it, I can find a way to stop it from happening): 这是我接收帖子数据的PHP代码(我留下了电子邮件代码,因为这不是问题。我改变它只是回应收到的数据,所以我可以尝试复制黑客所做的。如果我知道他是怎么做的,我可以找到阻止它发生的方法):
echo trim(htmlentities($_POST["usertext"], ENT_QUOTES));
Now the hacker send some data and this was the result html (the source code - that means it showed a normal link in the browser): 现在黑客发送了一些数据,这就是结果html(源代码 - 这意味着它在浏览器中显示了一个正常的链接):
<a target="_blank" href="mailto:nyjfvw@fbjgzy.com">nyjfvw@fbjgzy.com</a>
I thought that htmlentities() would always stop anyone from being able to enter html of any kind. 我认为htmlentities()总能阻止任何人输入任何类型的HTML。 If I enter a hyperlink such as:
如果我输入一个超链接,例如:
<a href="aaa" />
I get: 我明白了:
<a href="aaa" />
But the hacker's text was not encoded like that. 但是黑客的文本并没有这样编码。
So my questions are: 所以我的问题是:
I did some research and it might be possible that the hacker encoded his text in utf-7 or something? 我做了一些研究,黑客可能会用utf-7或其他东西编码他的文本?
I have already received a few emails with these same links. 我已收到几封带有相同链接的电子邮件。 This hacker is obviously testing my website to see if he can do XSS or something.
这个黑客显然正在测试我的网站,看看他是否可以做XSS或其他什么。
我认为strip_tags
完全符合您的需求: http : //php.net/manual/en/function.strip-tags.php
这不是最优雅的解决方案,但是如果没有看到其余代码,您可以检查usertext字段是否包含字符串“href”并拒绝它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.