XSS：REQUEST_URI 通过 htmlspecialchars() 运行 - 然后替换 &与 & - 足以防止XSS注入吗？

发布于 2024-10-24 06:57:51 字数 1231 浏览 4 评论 0原文

场景：

我想将 " ' < > 替换为 " ' < >< /code> 但保留“& 字符”

我正在处理的字符串是一个 URL，我希望 URL 参数由 & 分隔，而不是 < code>&。

示例解决方案：

$url = "/some/path?a=123&b=456"; // from $_SERVER["REQUEST_URI"]; 
$url = htmlspecialchars($url, ENT_QUOTES, 'ISO-8859-1', true); 
$url = str_replace('&amp;','&',$url);

问题：

如果我在页面上使用 $url（例如 echo $url; 在 HTML 或 JavaScript 中）可以被 XSS 利用吗？

类似问题：

还有其他关于 SO 的帖子 XSS 和htmlspecialchars() 但我不能围绕“&”是否存在找到答案字符（以及它可能的 htmlentities 允许）可能会使您暴露于 XSS。
正在替换：<和>与<和>足以防止XSS注入吗？
PHP 中的 htmlspecialchars() 或 Ruby on Rails 中的 h() 是否足以防御所有 XSS（跨站脚本）攻击？

原文

Scenario:

I would like to replace: " ' < > with " ' < > but keep the "&" character.

The string I'm dealing with is a URL and I want URL parameters to be separated by &, not &.

Example Solution:

$url = "/some/path?a=123&b=456"; // from $_SERVER["REQUEST_URI"]; 
$url = htmlspecialchars($url, ENT_QUOTES, 'ISO-8859-1', true); 
$url = str_replace('&','&',$url);

Question:

If I use $url on my page (e.g. echo $url; inside HTML or JavaScript) can this be exploited by XSS?

Similar Questions:

There are other posts on SO covering
XSS & htmlspecialchars() but I can't
find an answer around whether the "&"
character (and the htmlentities it may
allow) can expose you to XSS.
Is replacing : < and > with < and > enough to prevent XSS injection?
is htmlspecialchars() in PHP or h() in Ruby on Rails good enough for defending all cases of XSS (Cross-site scripting) attacks?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

时间你老了 2024-10-31 06:57:51

Sijmen Ruwhof 提出了一个我认为相关的有趣观点：

http://www.php.net/manual/en/function.htmlentities.php#99896

“ENT_QUOTES”选项不
保护您免受 JavaScript 侵害
某些标签的评估
属性，例如“href”属性
'a' 标签。当点击
下面的链接，给定的 JavaScript 将
被执行：

<?php
$_GET['a'] = 'javascript:alert(document.cookie)';
$href = htmlEntities($_GET['a'], ENT_QUOTES);
print "<a href='$href'>link</a>"; # results in: <a href='javascript:alert(document.cookie)'>link</a>
?>

Sijmen Ruwhof made this interesting point that I feel is relevant:

http://www.php.net/manual/en/function.htmlentities.php#99896

The 'ENT_QUOTES' option doesn't
protect you against javascript
evaluation in certain tag's
attributes, like the 'href' attribute
of the 'a' tag. When clicked on the
link below, the given JavaScript will
get executed:

<?php
$_GET['a'] = 'javascript:alert(document.cookie)';
$href = htmlEntities($_GET['a'], ENT_QUOTES);
print "<a href='$href'>link</a>"; # results in: <a href='javascript:alert(document.cookie)'>link</a>
?>

回复收藏 0 原文

醉酒的小男人 2024-10-31 06:57:51

我曾经使用非常奇怪的代码来转义网址，但我打赌这可以做得更好，而且这还没有涵盖 html 特殊字符，它只是用于将网址保存到数据库。

function escapeUrl(&$url){
 $matches = parse_url($url);
    if(!isset($matches["host"])){
        Utils_Logging_Logger::getLogger()->log(
            "Unknown host for URL: \"$url\".",
            Utils_Logging_Logger::TYPE_ERROR
       );
       $matches["host"] = "";
    }
    if(!isset($matches["scheme"])){
        Utils_Logging_Logger::getLogger()->log(
            "Sheme (like http://) for URL: \"$url\" was not set.",
            Utils_Logging_Logger::TYPE_LOG);
        $url = "http://";
    }else{$url = $matches["scheme"]."://";}
    $url.=$matches["host"];
    if(isset($matches["path"])){
        $path = rawurldecode($matches["path"]);
        $url.=$path;   
    }
    if(isset($matches["query"])){
        $query = rawurldecode($matches["query"]);
        $url.="?".$query;
    }
    return $url;

}

I once used really weird code for escaping urls, but I bet this can be done better, furthermore this does not cover the html specialchars yet, it was just used for saving urls to the database.

function escapeUrl(&$url){
 $matches = parse_url($url);
    if(!isset($matches["host"])){
        Utils_Logging_Logger::getLogger()->log(
            "Unknown host for URL: \"$url\".",
            Utils_Logging_Logger::TYPE_ERROR
       );
       $matches["host"] = "";
    }
    if(!isset($matches["scheme"])){
        Utils_Logging_Logger::getLogger()->log(
            "Sheme (like http://) for URL: \"$url\" was not set.",
            Utils_Logging_Logger::TYPE_LOG);
        $url = "http://";
    }else{$url = $matches["scheme"]."://";}
    $url.=$matches["host"];
    if(isset($matches["path"])){
        $path = rawurldecode($matches["path"]);
        $url.=$path;   
    }
    if(isset($matches["query"])){
        $query = rawurldecode($matches["query"]);
        $url.="?".$query;
    }
    return $url;

}

回复收藏 0 原文

~没有更多了~