CakePhp:避免XSS攻击,保持蛋糕的易用性
我喜欢 cakePhp 的一件事是,我们可以轻松地生成一个编辑后的表单,以便我们保存。
例如在控制器中:
function add() {
if (!empty($this->data)) {
$this->Post->create();
if ($this->Post->save($this->data)) {
$this->Session->setFlash(__('The post has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The post could not be saved. Please, try again.', true));
}
}
$users = $this->Post->User->find('list');
$this->set(compact('users'));
}
问题是我们的字段容易受到 XSS(跨站点脚本)的攻击。我知道“Sanitize::Clean”方式,但我有一个问题:这意味着我们必须在保存对象之前对所有字段执行此操作。如果我们添加一个字段会怎样?我们应该继续检查所有代码来检查我们是否对其进行了清理?有没有办法在不指定任何字段的情况下说“在保存该对象之前对其进行清理”?
谢谢你!
One of the things I like with cakePhp, is that we can easily have a generated edited form which allows us to save.
E.g. in a controller:
function add() {
if (!empty($this->data)) {
$this->Post->create();
if ($this->Post->save($this->data)) {
$this->Session->setFlash(__('The post has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The post could not be saved. Please, try again.', true));
}
}
$users = $this->Post->User->find('list');
$this->set(compact('users'));
}
The problem with that is that our fields are vulnerable to XSS (Cross site scripting). I'm aware of the "Sanitize::Clean" way, but I've a problem with that: it's mean that we have to do this on all fields before with save the object. And what if once we add one field? We should go on all our code to check that we sanitize it?? Is there any way to say "Sanitize this object before save it", without specifing any fields?
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
正如 andreas 正确指出的那样,存储原始 HTML 并仅对输出进行清理是普遍接受的最佳实践(例如,通过存储原始输入,它可以帮助跟踪谁发布了恶意内容等)。
要在视图中进行清理,您应该使用 CakePHP 便利函数
h($string),它是 htmlspecialchars,这将使所有 XSS 尝试完全无害。编辑 - 这不会物理删除 XSS 代码,而只是以不会损害您的应用程序的方式呈现它。
echo h('');将产生
<script>alert(' xss');As andreas correctly states, it is generally accepted best practice to store the original HTML and only sanitise on output (by storing the original input, it could help with tracking who posted the malicious content etc for example.).
To sanitize in a view, you should use the CakePHP convenience function
h($string)which is a short cut for htmlspecialchars, which will render all attempts at XSS completely harmless.edit - this wouldn't physically remove the XSS code, but just present it in a way that cannot harm your application.
echo h('<script>alert("xss");</script>');would produce
<script>alert('xss');</script>您可以查看模型
http://book.beforeSave() 方法。 cakephp.org/view/1052/beforeSave
提交的数据可以在
$this->data[$this->alias]数组中找到,所以你可以通常你想要存储用户提交的任何内容数据库并仅在需要显示时对其进行清理,这样您仍然保留原始 HTML 内容(如果它确实是 HTML 输入(例如:博客文章))。
如果您想在显示之前进行 Sanitize,可以使用
afterFind()来完成,这样您就不必每次都调用 Sanitize。http://book.cakephp.org/view/1050/afterFind
You can look at
beforeSave()method for modelshttp://book.cakephp.org/view/1052/beforeSave
the data submitted is available in
$this->data[$this->alias]array, so you couldUsually you want to store whatever submitted by the user in the database and only sanitize it when you need to display it, that way you still preserve the original HTML content (if it indeed is intended to be an HTML input (for instance: blog post)).
If you want to Sanitize before displaying, you could do it using
afterFind()so you don't have to call Sanitize everytime.http://book.cakephp.org/view/1050/afterFind
也许您可以在模型的 afterFind 方法中进行清理。这将在搜索之后调用,您可能在显示数据之前执行搜索。
Maybe you could sanitize in the afterFind method of the Model. This would be called after a search, which you are probably doing before displaying your data.