Zend 视图中的 $this->escape() 是否足以应对 xss
我在 zend 视图中做了很多 $this->escape()
。这足以防止 XSS 吗?
Zend Framework 之外还有 HTMLPurifier。我想知道 zend 的 $this->escape()
与 HTMLPurifier 相比如何。
I do a lot of $this->escape()
in the zend view. Is this enough to prevent XSS?
There's HTMLPurifier outside the Zend Framework. I wonder how zend's $this->escape()
compares to HTMLPurifier.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
escape 是 htmlspecialchars 的别名。它允许您输出纯文本,而 HTMLPurifier 允许您输出安全的 HTML。
纯文本不可能存在 XSS。
如果您想从用户输入(例如富文本编辑器)输出安全的 HTML,则必须使用 HTMLPurifier 而不是 strip_tags。
escape is an alias of htmlspecialchars. It allows you to output plain text, while HTMLPurifier allows you to output safe HTML.
You can't have XSS with plain text.
You have to use HTMLPurifier instead of strip_tags if you want to output safe HTML coming from an user input (rich text editor for example).
HTMLPurifier 有不同的用途。 HTMLPurifier 不会转义 HTML...好吧,不完全是。它需要您提供的配置来定义 HTML 中允许的内容和不允许的内容,并根据该配置进行清理。结果实际上仍然是 HTML,只是删除/清理了某些内容。
另一方面,escape() 将类似 HTML 的字符转换为 HTML 实体,以便它们在浏览器中呈现相同的字符,而不是被解释为 HTML(例如
&
->&
,<
-><
,>
-> ;>
等等)。不同的目标。
它能让您避免 XSS 问题吗?是的,但请确保您已正确配置字符编码。
HTMLPurifier is serving different purpose. HTMLPurifier does not escape HTML... well, not exactly. It takes a configuration you give it that defines what is permitted in the HTML and what's not, and it cleans based on that. The result is actually still HTML, with certain things removed/sanitized.
escape() on that other hand is turning HTML-like characters into HTML entities so that they render the same characters in the browser instead of being interpreted as HTML (e.g.
&
->&
,<
-><
,>
->>
and so on).Different goals.
Does it save you from XSS issues? Yes, but make sure you have correctly configured your character encoding.