如何使用 PHP 防止 URL 表单字段中的 HTML 注入?
例如,如果我在表单中收集 [URL 值],将该 [URL 值] 保存在数据库中,然后在页面中使用它,如下所示
<a href="[URL value]" > The Link </a>
:我该如何防止这种[URL值]:
http://www.somelink.com"> Evil text or can be empty </a> ALL THE EVIL HTML I WANT <a href="
如何防止URL表单字段的这种HTML注入而不破坏URL(如果它是有效的)?
For example if I am colecting a [URL value] in a form, saving that [URL value] in a database, and then using it in a page like this:
<a href="[URL value]" > The Link </a>
How do I protect against this [URL value]:
http://www.somelink.com"> Evil text or can be empty </a> ALL THE EVIL HTML I WANT <a href="
How can I protect against this kind of HTML injection for URL form fileds without breaking the URL in case it is valid ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
收到表单上的 URL 时:
filter_var(url, FILTER_VALIDATE_URL)确保 URL 的格式有效。http://或https://开头(或者至少拒绝所有javascript:URL,因为它们可能包含恶意代码)显示页面时:
htmlspecialchars()转义您在 HTML 中插入的 URL(以及所有其他文本)。When receiving the URL on the form:
filter_var(url, FILTER_VALIDATE_URL)to ensure the URL is in a valid format.http://orhttps://(or at least reject alljavascript:URL as they can include malignant code)When displaying the page:
htmlspecialchars()to escape the URL (and all other text) that you insert in the HTML.最简单的方法是检查输入是否包含语法上有效的 url,不包含诸如 > 之类的字符。 URL 中不允许使用这些内容。最简单的方法是使用过滤器扩展。执行此操作的代码如下所示:
The simplest way to do that would be to check that the input contains what looks like a syntactically valid url, with no characters such as > which are not allowed in URL's. The easiest way to do that is using the filter extension. The code to do it would be like this:
编辑:只使用 urlencode,不要使用 htmlentities
每当您将数据放入 URL 的键/值对时,您应该使用 urlencode() 对该数据进行编码。此函数将处理在 URL 的构建方式中具有语法意义的任何特殊字符。 &符号、等号和问号将为您编码。注入 HTML 中的所有尖括号和换行符也将被编码!
EDIT: Just use urlencode, do not use htmlentities as well
Whenever you put data into the key/value pairs of a URL, you should encode that data using urlencode(). This function will take care of any special characters that syntactic meaning in the way URLs are meant to be constructed. Ampersands, equal signs and question marks will be encoded for you. All the angle brackets AND new line characters in the inject HTML will be encoded too!
要在显示时转义,请使用 htmlentities($var, ENT_QUOTES) 或 htmlspecialchars($var, ENT_QUOTES)。由于浏览器特定的 XSS 负载,需要转义单引号和双引号。检查此处 - http://ha.ckers.org/xss2.html
另外,在验证 URL 时javascript: URI 并不是唯一危险的。另一种是数据:URI。
无论如何,排除除白名单之外的所有内容,然后包含除黑名单之外的所有内容总是更安全。
For escaping when displaying use htmlentities($var, ENT_QUOTES) or htmlspecialchars($var, ENT_QUOTES). It's needed to escape both single and double quotes because of browser-specific XSS payloads. Check here - http://ha.ckers.org/xss2.html
Also, when validating URL javascript: URI is not the only one dangerous. Other one is data: URI.
Anyway, it's always more secure to exclude everything except whitelisted, then to include everything except black-listed.
打印 url 时使用
urlencode仅对"符号进行编码,例如:Use
urlencodeto encode just the"sign when printing the url, like: