清理用户输入作为 URL 的一部分
我从外部客户端脚本获取一个字符串,稍后必须将其附加为 URL 的一部分。现在我想知道清理此类数据的最佳方法是什么?
我得到的字符串将具有如下结构:dynamicVal#staticVal:dynamicVal
然后该值将被添加到网址中:http://the-page.com/dynamicVal#staticVal:dynamicVal
然后按如下方式使用 url:
$link = htmlspecialchars("http://external-page.com/dynamicVal#staticVal:dynamicVal", ENT_QUOTES);
$var = "<a href=\"javascript: window.open('$link')\">'Open URL'</a>";
问题是,htmlspecialchars 不会帮助阻止随机 javascript 代码的执行,例如,将此警报添加到值中:
dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'
使用 rawurlencode 也不会有所帮助,因为它不是参数的值,而是 url 的真实部分。
那么,在连接到 url 时清理传递的字符串的最佳方法是什么?
提前致谢。
编辑: 仅在动态部分使用 rawurlencode 实际上也没有解决问题,javascript 仍然被执行。
测试片段:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "<a href=\"javascript: window.open('$link')\">'Open URL'</a>";
编辑2: 将字符串作为 javascript 参数传递时使用 json_encode 也没有帮助。 改编后的测试片段:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal\"+alert('breakout')+\"");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "<a href=\"javascript: window.open(".htmlspecialchars(json_encode($link), ENT_QUOTES).")\">'Open URL'</a>";
改编完成:
交换了恶意 JS 中的引号。
将 htmlspecialchars 移至 json_encode 周围,因为返回双引号字符串,否则会破坏 html。
I get a string, from an external clientside script, which must later be attached as part of an url. Now I am wondering what is the best way to santitize such data?
The string I get will have a structure like this:dynamicVal#staticVal:dynamicVal
This value will then be added to an url:http://the-page.com/dynamicVal#staticVal:dynamicVal
The url is then used as followed:
$link = htmlspecialchars("http://external-page.com/dynamicVal#staticVal:dynamicVal", ENT_QUOTES);
$var = "<a href=\"javascript: window.open('$link')\">'Open URL'</a>";
Problem is, htmlspecialchars wont help to prevent execution of random javascript code, e.g. by adding this alert to the value:
dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'
Using rawurlencode wont help either, because it is not a value of a parameter but a real part of the url.
So what is the best way to sanitize the passed string when concatenating to the url?
Thanks in advance.
Edit:
Using rawurlencode only on the dynamic parts actually also didn't solve the issue, the javascript still got executed.
Test snippet:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "<a href=\"javascript: window.open('$link')\">'Open URL'</a>";
Edit2:
Using json_encode when passing the string as javascript argument didn't help either.
Adapted test snippet:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal\"+alert('breakout')+\"");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "<a href=\"javascript: window.open(".htmlspecialchars(json_encode($link), ENT_QUOTES).")\">'Open URL'</a>";
Adaptions done:
Switched the quotes in the malicous JS.
Moved htmlspecialchars around json_encode, because a double quoted string gets returned which would break the html otherwise.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
为此,您应该使用
urlencode()。不是在整个琴弦上,而是仅在动态部分上。编辑:
好的 - 我看到你的问题了。我没有意识到您将代码插入到 JavaScript 函数调用中。您必须确保 JavaScript 解释器将您的链接视为
window.open()的字符串参数:You should use
urlencode()for this. Not on the whole string but on the dynamic parts only.EDIT:
OK - I see your problem. I didn't realize that you insert the code into a JavaScript function call. You'll have to ensure that the JavaScript interpreter treats your link as a string argument to
window.open():为了完整起见,我只需在使用
rawurlencode之前将addslashes放在动态部分即可解决该问题。需要两个函数调用来防止爆发。使用
addslashes可以防止正常引号 (',") 并使用rawurlencode防止已编码的引号 (%29,%22) 造成伤害,所以最终的解决方案如下所示:
For completenes, I was able to solve that issue by simply putting
addslasheson the dynamic part before usingrawurlencode.Both function calls are needed to prevent breaking out. Using
addslashesprevents normal quotes (',") andrawurlencodeprevents already encoded quotes (%29,%22) to cause harm.So final solution looks like this: