简单的 PHP XSS / Urlencode 问题

发布于 2024-10-17 19:27:10 字数 1142 浏览 4 评论 0原文

我有一个电子邮件地址参数,其中电子邮件地址以未编码的方式传递,如下所示:

http:// domain/[email protected]

PHP 转义/编码可以让我在页面的输入字段上安全地显示电子邮件地址?

我尝试的所有方法都会导致显示编码字符,而不是用户友好的电子邮件地址(即 test%2Btest%40test.com)

更新 - 这是我尝试过的:

来自 < a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a19ec4ccc0c8cd9cd5c4d2d58ad5c4d2d5e1c6ccc0c8cd8fc2cecc">[电子邮件受保护] 至:

urlencode($_GET['email']) = test+test%40test.com (@ sign is encoded)
htmlspecialchars($_GET['email']) = test [email protected] (lost the +)
htmlspecialchars(urlencode($_GET['email']) = test+test%40test.com (@ sign encoded)

回想一下,我正在尝试获取未编码的 url 电子邮件参数并将其安全地输出到输入字段的值中,同时保持加号完好无损。

也许我应该尝试这个?

str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))

I have an email address param where email addresses are passed un-encoded like so:

http://domain/[email protected]

What PHP escaping/encoding will let me safely display the email address on an input field on the page?

Everything I tried causes the encoded chars to show up instead of the user-friendly email address (i.e. test%2Btest%40test.com)

Update - here's what I've tried:

Going from [email protected] to:

urlencode($_GET['email']) = test+test%40test.com (@ sign is encoded)
htmlspecialchars($_GET['email']) = test [email protected] (lost the +)
htmlspecialchars(urlencode($_GET['email']) = test+test%40test.com (@ sign encoded)

Recall that I'm trying to take the unencoded url email param and safely output it into the value of an input field while keeping plus signs intact.

Maybe I should try this?

str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

蓝海似她心 2024-10-24 19:27:10

如果您想将其安全地输出到输入字段的值中,则需要先使用 htmlspecialchars

示例:

<input type="email" name="email" value="<?php echo htmlspecialchars($_GET['email']); ?>"

注意:如果您没有在输出内容周围使用双引号,则需要应用更多转义。 此页面解释了这一切。

If you want to safely output it in the value of an input field, you need to htmlencode it first with htmlspecialchars.

Example :

<input type="email" name="email" value="<?php echo htmlspecialchars($_GET['email']); ?>"

Note : If you aren't using double quote around what you are output, you need to apply more escaping. This page explains it all.

情独悲 2024-10-24 19:27:10

这有效:

str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))

This works:

str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))
情话已封尘 2024-10-24 19:27:10

您可能正在寻找urldecode()?这就是将 %40、%2B 等转换回普通字符的原因。

You're probably looking for urldecode()? That's what converts %40, %2B, etc. back into normal characters.

南风起 2024-10-24 19:27:10

按照 Kevin 建议,使用 emailaddress = urldecode($_GET['email']); 。它会做你需要的任何事情。

use emailaddress = urldecode($_GET['email']); as Kevin suggested. it will do whatever you need.

一场春暖 2024-10-24 19:27:10

如果您验证电子邮件并按原样编写,如果只接受电子邮件地址,会怎么样?

What if you validate the email and write it as it was, if only an email address is acceptable?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文