当前位置: 文江博客 话题详情

在 ExpressionEngine 中使用 SafeCracker 剥离 HTML 和 CSS 内联样式

发布于 2024-11-16 16:49:11 字数 409 浏览 6 评论 0 原文

我在 ExpressionEngine 中使用 SafeCracker 构建了一个表单。文本区域字段之一用于允许用户提交 HTML 代码。

以下是他们将提供的代码类型的示例:

当提交表单并将条目保存到数据库时,SafeCracker 会去除内联 CSS 样式。实际保存到数据库的结果是:

正如您所看到的,内联 CSS 样式已被删除,但 HTML 的其余部分仍保留。

我希望允许用户能够提交 HTML 代码,而不是让 SafeCracker 删除内联 CSS 样式。我怎样才能做到这一点?

原文

I have a form built with SafeCracker in ExpressionEngine. One of the textarea fields is used to allow users to submit HTML code.

Here's an example of the type of code they will be providing:

<div style="left: 385px; top: 137px;" class="aaa"></div>.

When the form is submitted and the entry is saved to the database, SafeCracker strips out the inline CSS style. The result of what is actually saved to the database is:

<div class="aaa"></div>.

As you can see, the inline CSS style(s) are being removed but the rest of the HTML is maintained.

I want to allow users to be able to submit HTML code and not have SafeCracker strip out the inline CSS style(s). How can I accomplish this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

栖迟 2024-11-23 16:49:11

SafeCracker 使用内置的 ExpressionEngine XSS 清理方法来清理用户提交的输入来自跨站脚本 (XSS) 和 SQL 注入漏洞。

任何前端用户输入在插入数据库或输出到屏幕之前都会使用 $this->EE->security->xss_clean() 进行清理。

值得庆幸的是,EllisLab 的工程师提供了一种秘密的、未记录的方式,将 SafeCracker 中使用的 fieldtypesfield_ids 列入“白名单”,并使它们免受 XSS 过滤。

要阻止 SafeCracker 剥离给定字段中的所有 HTML,请打开以下文件,具体取决于您正在运行哪个版本的 ExpressionEngine:

EE 2.1.3 或更低版本(SafeCracker 作为第三方插件安装)
/system/expressionengine/third_party/safecracker/libraries/safecracker_lib.php

EE 2.2.0 或更高版本(SafeCracker 作为第一方模块安装)
/system/expressionengine/modules/safecracker/libraries/safecracker_lib.php

注意:ExpressionEngine 2.2.0 将 SafeCracker 捆绑为第一方模块,因此您的安装位置将取决于您的版本正在运行或已升级。

向下滚动到第 2371 行(对于 EE 2.1.3)第 2516 行(对于EE 2.2) 并查找以下内容:

$this->skip_xss_fieldtypes = array();
$this->skip_xss_field_ids = array();

这就是乐趣的开始。要将某个字段“列入白名单”以防止应用 XSS 过滤器,只需将 fieldtypefield_id 添加到任一数组即可。

下面是一个示例:

$this->skip_xss_fieldtypes = array(
    // This is the fieldtype as specified in the Control Panel
    // Channel Fields, not what you use in your SafeCracker template
    'textarea'
);
$this->skip_xss_field_ids = array(
    // This is the field_id from the exp_channel_data MySQL Table
    'field_id_1'
);

您可以指定某种类型的 fieldtype(文本区域、输入等),或者如果您希望更明确的话,也可以指定 field_id。前一种方法更通用,而后者是绝对的,并且如果自定义字段要更改其类型,则更灵活。

通过这些更改,您免于 XSS 清理方法的任何字段将不再应用任何过滤,并允许将任意 HTML 提交到数据库中!

请记住,对 ExpressionEngine 的任何升级都可能会覆盖此文件,因此您可能需要更改该文件的权限或保留备份。

应该非常认真地对待跨站点脚本,因为您永远不会希望您的网站成为攻击媒介的来源。总是谨慎行事。

SafeCracker uses the built-in ExpressionEngine XSS Sanitization Method to clean user submitted input from Cross Site Scripting (XSS) and SQL Injection vulnerabilities.

Any front-side user input is sanitized by using $this->EE->security->xss_clean() before being inserted into the database or output to the screen.

Thankfully for us, the Engineers at EllisLab have provided a secret, undocumented way of "whitelisting" fieldtypes and field_ids used in SafeCracker and exempting them from XSS filtering.

To stop SafeCracker from stripping all HTML from a given field, open up the following file, depending on which version of ExpressionEngine you're running:

EE 2.1.3 or Earlier (SafeCracker installed as Third-Party Add-On)
/system/expressionengine/third_party/safecracker/libraries/safecracker_lib.php

EE 2.2.0 or Later (SafeCracker installed as First-Party Module)
/system/expressionengine/modules/safecracker/libraries/safecracker_lib.php

Note: ExpressionEngine 2.2.0 bundles SafeCracker as a first-party module, so your installation location will depend on what version you're running or have upgraded from.

Scroll down to around Line 2371 (for EE 2.1.3) or Line 2516 (for EE 2.2) and look for the following:

$this->skip_xss_fieldtypes = array();
$this->skip_xss_field_ids = array();

Here's where the fun begins. To "whitelist" a field from having the XSS Filter applied, simply add the fieldtype or field_id to either array.

Here's an example:

$this->skip_xss_fieldtypes = array(
    // This is the fieldtype as specified in the Control Panel
    // Channel Fields, not what you use in your SafeCracker template
    'textarea'
);
$this->skip_xss_field_ids = array(
    // This is the field_id from the exp_channel_data MySQL Table
    'field_id_1'
);

You can either specify a certain type of fieldtype (textarea, input, etc.), or the field_id if you'd rather be more explicit. The former way is more general, while the latter is absolute and is more flexible if a custom field would to ever change its type.

With these changes, any field(s) you exempt from the XSS Sanitization Method will no longer have any filtering applied, and allow any arbitrary HTML to be submitted into the database!

Keep in mind, that any upgrades to ExpressionEngine may overwrite this file, so you may want to change the permissions on the file or keep a backup handy.

Cross Site Scripting should be taken very seriously as you would never want your site to be the source of an attack vector. Always err on the side of caution.

回复 原文
~没有更多了~

关于作者

悲喜皆因你

暂无简介

0 文章
0 评论
837 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

隔纱相望

文章 0 评论 0

昵称有卵用

文章 0 评论 0

梨涡

文章 0 评论 0

蓝咒

文章 0 评论 0

白芷

文章 0 评论 0

樱娆

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文