stackoom
  简体   繁体   中英

redirects using htmlspecialchars/htmlentities

 原文  2016-05-26 01:59:44       php/ xss/ html-entities/ htmlspecialchars

Question

I have this kind fo redirects now 

Redirect::to(htmlspecialchars('home.php'));

but when I type this on my home.php: /%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E

it results like this: 在此处输入图片说明

but why ? they said that it will converted so the exploit attempt will be a failure, but why in mine it is not ?

1 answers

solution1
 0  2016-05-26 05:31:11

htmlspecialchars encodes special characters to their HTML equivalent in a string which is passed by argument. Your Code 

Redirect::to(htmlspecialchars('home.php'));

only encodes the string home.php and pass it to the Redirect::To -Function and does not use htmlspecialchars on the output of the whole page.

To solve this, you have to use it on every output in home.php like this: 

<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
?>

(Example from: http://php.net/htmlspecialchars )

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP htmlentities or htmlspecialchars htmlspecialchars + htmlentities not working htmlentities, htmlspecialchars and ajax issue PHP htmlspecialchars() or htmlentities() with exception htmlspecialchars() or htmlentities() not working htmlentities() vs. htmlspecialchars() Error due to using single quotes in htmlspecialchars and htmlentities in php How to retrieve original text after using htmlspecialchars() and htmlentities() htmlentities and htmlspecialchars refuse to process string PHP htmlentities or htmlspecialchars = acentuation error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM