htmlspecialchars 是否转义 javascript?
我偶然发现了这个问题:
你们知道 htmlspecialchars 函数是否也从用户输入中转义 javaScript 吗?
谢谢
I've stumbled over this questions:
Do you guys know if the htmlspecialchars function also escapes javaScript from user input?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
好吧,要回答你的问题,这要看情况。如果您这样做:
那么他们将无法将脚本注入您的应用程序。
但是:
如果您尝试这样做:
您不安全。请参阅 OWASP 的 XSS 备忘单上的规则 #3 。
为了保护这一点,您需要使用 JS 感知的转义函数。如果您只需要一个字符串文字,您可以对其进行 json 编码,但我会使用 ESAPI 用于 PHP 来处理这个问题。
Well, to answer your question, it depends. If you're doing:
Then they will not be able to inject scripts into your application.
HOWEVER:
If you're trying to do this:
You are not safe. See Rule #3 on OWASP's XSS Cheat Sheet.
To protect that, you'd need to use a JS aware escaping function. You could json encode it if you just need a string literal, but I would use ESAPI for PHP to take care of this.
PHP 手册 准确地告诉您该函数更改了哪些字符。
它并不关心你给它的字符串是否包含 HTML、JS 或其他内容。它只是根据您提供的任何字符串进行翻译。
由于 HTML 和 JS 使用不同的转义字符,因此它使任意数据在 HTML 中使用“安全”,其中包括使某些 JS 在 HTML 中使用安全。
例如
将输出:
从而防止
&在 HTML 中的特殊含义破坏脚本。但它不会使字符串在 JavaScript 中安全使用,因为它不会接触
\等具有特殊含义的字符。The PHP manual tell you exactly what characters get changed by the function.
It doesn't care if the string you give it contains HTML or JS or something else. It just makes those translations on whatever string you give it.
Since HTML and JS use different escape characters, it makes arbitrary data "safe" for use in HTML, which includes making some JS safe for use in HTML.
e.g.
Will output:
Thus preventing the special meaning that
&has in HTML from breaking the script.It won't make a string safe to use in JavaScript though, since it doesn't touch characters such as
\which have special meaning there.根据手册,以下字符被替换:
因此,
According to the manual the following characters are replaced:
So a
<script>tag would be modified, but the Javascript inside may or may not be modified, depending on which characters it contains.当然可以。
Sure it does.
<script>is changed to<script>