PHP 中 html 属性中的 URL 转义
我目前正在使用一些现有代码,这些代码从请求中取出 URL 并将其输入到锚点的源中。这显然是 XSS 的一个漏洞,并且使用 urlencoding 并不能保持锚点内 url 的完整性。我很好奇在不破坏链接的情况下转义数据的最安全方法是什么。
IE
<?
$url = $_REQUEST['url'];
echo '<a href="' . $url . '">sometext</a>';
?>
I am currently working with some existing code that takes a URL out of the request and inputs it into the source of an anchor. This is clearly an opening for XSS and using urlencoding doesn't retain the sanity of the url inside the anchor. I'm curious what the safest way to escape the data without breaking the link would be.
i.e.
<?
$url = $_REQUEST['url'];
echo '<a href="' . $url . '">sometext</a>';
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
htmlspecialchars($url)会将 HTML 敏感字符转换为其实体等效字符。然而,也可以将 javascript 片段插入到 url 中——我个人并不了解这些细节。更复杂的解决方案(例如 HTML Purifier)可能会帮助您覆盖大多数漏洞。htmlspecialchars($url)will convert the HTML-sensitive characters to their entity equivalents. However, it is possible to insert javascript snippets into urls as well -- details of which I am personally not knowledgeable of. A more complex solution such as HTML Purifier may assist you in covering most vulnerabilities.还有
filter_var,它有一组可以使用的预定义过滤器,我认为其中一个用于 URL:http://php.net/manual/en/function.filter-var.php编辑: 是的:清理过滤器:<一个href="http://www.php.net/manual/en/filter.filters.sanitize.php" rel="nofollow">http://www.php.net/manual/en/filter.filters.sanitize .php
There's also
filter_var, which has a set of predefined filters you can use, one of which I believe is for URLs: http://php.net/manual/en/function.filter-var.phpEdit: Yup: Sanitize filters: http://www.php.net/manual/en/filter.filters.sanitize.php