是否可以使用 htmlspecialchars() 过滤视频嵌入
我允许用户在他们的页面上嵌入视频,但以防万一我想过滤输出。为了呈现视频,我从数据库中检索嵌入语句,但当它被过滤时,它会以原始代码呈现。是否有一种视频友好的方式来过滤类似的内容,或者有人对不同的方式有任何建议吗?预先感谢您的任何建议。
while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
$video= htmlspecialchars( $row['video'], ENT_NOQUOTES, 'UTF-8' );
}
echo "$video";
在数据库中,视频将如下所示
<object width="464" height="368" id="669545" type="application/x-shockwave-flash"
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" alt="Aqua Teen Hunger Force - Hand Banana Funny
Videos"><param name="movie" value="http://embed.break.com/NjY5NTQ1"></param><param
name="allowScriptAccess" value="always"></param><embed src="http://embed.break.com/NjY5NTQ1"
type="application/x-shockwave-flash" allowScriptAccess=always width="464" height="368"></embed></
object><br><font size=1><a href="http://www.break.com/usercontent/2009/2/Aqua-Teen-Hunger-Force-Hand-
Banana-669545.html" target="_blank">Aqua Teen Hunger Force - Hand Banana</a> - Watch more <a href="http://
www.break.com" target="_blank">Funny Videos</a></font>
I am allowing users to embed videos on their page, but just in case I want to filter the output. To present the video I retrieve the embed statement from the database but when it is filtered, it is presented in raw code. Is there a video friendly way to filter something like this or does anyone have any suggestions on a different way to do it? Thanks in advance for any advice.
while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
$video= htmlspecialchars( $row['video'], ENT_NOQUOTES, 'UTF-8' );
}
echo "$video";
In the database, the video will look like this for example
<object width="464" height="368" id="669545" type="application/x-shockwave-flash"
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" alt="Aqua Teen Hunger Force - Hand Banana Funny
Videos"><param name="movie" value="http://embed.break.com/NjY5NTQ1"></param><param
name="allowScriptAccess" value="always"></param><embed src="http://embed.break.com/NjY5NTQ1"
type="application/x-shockwave-flash" allowScriptAccess=always width="464" height="368"></embed></
object><br><font size=1><a href="http://www.break.com/usercontent/2009/2/Aqua-Teen-Hunger-Force-Hand-
Banana-669545.html" target="_blank">Aqua Teen Hunger Force - Hand Banana</a> - Watch more <a href="http://
www.break.com" target="_blank">Funny Videos</a></font>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
一般来说,您应该在将用户输入插入 HTML 时对用户输入进行
htmlspecialchars()处理。但在本例中,您已经有了 HTML,因此您无能为力。您无法有效地过滤嵌入的插件。如果您允许用户指定任意 Flash 文件或其他插件,那么您实际上已经为他们提供了对您的安全上下文的免费跨站点脚本访问权限,并且任何字符串清理都无法解决此问题。
如果您确实需要允许用户提交任意 Flash 或其他
或者,您可以只允许用户发布来自您信任的提供商的视频内容,例如。
youtube.com。然后,您只需让他们提交 YouTube 视频 ID,并自行构建In general you should be
htmlspecialchars()ing user-input at the point you insert it into HTML. But in this case you already have HTML, so there's nothing much you can do.You can't usefully filter embedded plugins. If you are allowing users to specify an arbitrary Flash file or other plugin, you have already effectively given them free cross-site-scripting access into your security context, and no amount of string sanitisation will fix that.
If you really need to allow users to submit arbitrary Flash or other
<object>/<embed>code, you will need to host that untrusted code in a separate security context. Typically, you put the main site onwww.example.com, and include an<iframe>tostuff.example.comwhich spits out the untrusted<object>code. Then when the plugin code tries to do something hostile, at least it can only affectstuff.example.comand not any of your real webapp onwww.example.com.Alternatively, you could only allow users to post video content from providers you trust, eg.
youtube.com. You then just let them submit a YouTube video ID, and build up the<object>code yourself to point to the URL for that ID.