防止隐形表单被轻易黑客入侵

发布于 2024-12-26 11:33:24 字数 1699 浏览 0 评论 0原文

摘要

如果表单设置为 display:none 并且其字段通过 javascript 填充了一些任意的 html 代码，那么提交时需要什么样的数据清理/表单安全性？

背景

我正在使用 JQuery 插件 DataTables 来重新格式化并显示按组小计的数据。除了美中不足之外，它的效果很好：通过 TableTools 将表格导出为 PDF（或其他形式）扩展会产生原始格式，而不是分组和小计格式。经过讨论与 DataTables/TableTools 作者一起，我得出的结论是我需要以不同的方式导出。

我制作了一个按钮，将修改后的表 html 而不是原始 html 提交到使用 mpdf 创建 pdf 文件的 php 脚本。它通过填充“不可见”表单然后提交来实现这一点。效果很好。

但我担心提交 html 的隐形表单会让我很容易受到滥用。当输入是任意时，确保发布的输入是我所期望的最好方法是什么？

代码

<!--HTML-->
<button name='Make PDF' id='butPDF'/>

<form action='makepdf.php' method='post' name='mpdf' 
      id='mpdf' style='display:none'>
  <textarea name='pdf_html'></textarea>
</form>

//javascript
$(document).ready(function() {
  $('.datatable').dataTable( {
    //process table into desired format      
  });

  $('button#butPDF').onClick(
    function(){
       var html= get_my_stuff();//collect up the desired bits
       $('textarea[name="pdf_html"]').val(html);
       $('form#mpdf).submit();
    }
  );
});

<?php
include(_MPDF_PATH . "mpdf.php");

$html=$_POST['pdf_html'];
$stylesheet = file_get_contents(LOCAL_INCLUDE.'css/mpdf.css');

$mpdf=new mPDF();
$mpdf->WriteHTML($stylesheet,1,true);
$mpdf->WriteHTML($html, 2,false);
$mpdf->Output('myfile.pdf','D'); //D for download
exit;
?>

原文

Summary

If a form is set to display:none and it's fields are populated with somewhat arbitrary html code by javascript, what kind of data sanitizing/form security is required on submission?

Background

I'm using the JQuery plugin DataTables to reformat and display data subtotalled by group. It works great except for one small fly in the ointment: exporting the table to PDF (or other forms) through the TableTools extension results in the original format rather than the grouped and subtotalled format. After a discussion with the DataTables/TableTools author, I came to the conclusion that I needed to export a different way.

I made a button that submits the modified table html rather than the original html to a php script that uses mpdf to create the pdf file. It does this by populating an "invisible" form and then submitting it. It works great.

But I'm concerned that having an invisible form that submits html leaves me wide open to abuse. What are the best ways to ensure that the POSTed input is what I'm expecting when the input is arbitrary?

Code

<!--HTML-->
<button name='Make PDF' id='butPDF'/>

<form action='makepdf.php' method='post' name='mpdf' 
      id='mpdf' style='display:none'>
  <textarea name='pdf_html'></textarea>
</form>

//javascript
$(document).ready(function() {
  $('.datatable').dataTable( {
    //process table into desired format      
  });

  $('button#butPDF').onClick(
    function(){
       var html= get_my_stuff();//collect up the desired bits
       $('textarea[name="pdf_html"]').val(html);
       $('form#mpdf).submit();
    }
  );
});

<?php
include(_MPDF_PATH . "mpdf.php");

$html=$_POST['pdf_html'];
$stylesheet = file_get_contents(LOCAL_INCLUDE.'css/mpdf.css');

$mpdf=new mPDF();
$mpdf->WriteHTML($stylesheet,1,true);
$mpdf->WriteHTML($html, 2,false);
$mpdf->Output('myfile.pdf','D'); //D for download
exit;
?>

分享到QQ

分享到微博