当前位置: 文江博客话题详情

Codeigniter XSS 防护

发布于 2025-01-04 22:01:52 字数 246 浏览 0 评论 0原文

过去几天我一直在研究 codeigniter。它看起来很有希望,但存在一些问题。全局XSS防护一点也不安全,烂透了!我一直在玩它,我肯定可以提出这么多“错误的请求”

codeigniter 用户会做什么?就不要管它,然后创建自己的 XSS 保护吗? codeigniter(或php)是否有任何现有的类可以帮助防止XSS攻击?

有时,当 XSS 保护“起作用”并且代码找到匹配项时,它似乎也剥离了太多。

任何帮助都会很棒!谢谢!

原文

I've been looking into codeigniter for past few days. It looks promising, but there are few issues. The global XSS protection is not secure at all, it sucks! I've been playing around with it, and I for sure can make so many "bad requests"

What do the codeigniter users do? just leave it off, and create their own XSS protection? is there any existing classes for codeigniter (or php) that help to prevent XSS attacks?

It also seems like the XSS protection is stripping too much some times, when it "works" and the code finds a match.

Any help would be great! Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

就此别过 2025-01-11 22:01:52

根据我的经验,CI 的 XSS 非常好——我遇到过它确实删除了我想要的东西的情况,如果你没有预料到的话,调试起来可能会很痛苦。我从来没有能够“轻松地”绕过它,也没有读到过任何漏洞利用(而且 CI 社区相当大)。

如果你非常担心,你可以关闭 CI 的 XSS 防护,并使用“更”全面的过滤器,例如 HTML Purifier - - 您可能还想阅读 OWASP 的XSS备忘单,因为清理输入只是XSS防护的一小部分。

From my experience, CI's XSS is pretty good -- I have run into situations where it does remove something which I have wanted which can be a pain to debug if you're not expecting it. I've never been able to "easily" circumvent it nor have I read about any exploits (and the CI community is fairly large).

If you are very concerned, you can turn off CI's XSS protection and use a "more" comprehensive filter such as HTML Purifier -- you might also want to read OWASP's XSS cheat sheet, because cleaning input is only a small part of XSS protection.

回复 原文
心房敞 2025-01-11 22:01:52

我没有打开全局 XSS。一旦全局打开,就无法关闭单次使用实例,例如使用 Tiny MCE 内容编辑器。我实际上已经浏览了 CI 代码,发现重写了 $_POST、$_GET 数据,如果 XSS 全局启用,则数据会被写入 $_POST 中。

解决方案
XSS 全局 = 关闭

$this->input->post('varname',true); //for clean data
$this->input->post('varname',false); //for something you want to clean manually
$varname=filter_var($_POST['varname']); //raw and old school

I dont turn on Global XSS. Once it is turned on globally it is impossible to turn off for single use instances like using a Tiny MCE editor for content. I have literally gone through CI code and found that is rewrites the $_POST,$_GET data, if XSS is on globally then the data get writen to $_POST stripped.

Solution
XSS Global = off

$this->input->post('varname',true); //for clean data
$this->input->post('varname',false); //for something you want to clean manually
$varname=filter_var($_POST['varname']); //raw and old school
回复 原文
眼中杀气 2025-01-11 22:01:52

您可以使用htmlspecialchars($input)来防止来自用户输入和kiddo的xss注入。

You can use htmlspecialchars($input) to prevent xss injection from user inputs and kiddo.

回复 原文
一抹淡然 2025-01-11 22:01:52

我已经像这样覆盖了 RestController 中的 post 函数,以进行 XSS 清理并保存 XSS 发送者尝试攻击的攻击表:

public function post($key = NULL, $default_value="" , $xss_clean = TRUE)
{
    if ($key === NULL)
    {
        return $this->_post_args;
    }
    $val =  $this->input->get_post($key, $xss_clean);
    if(!is_array($val))
        $val =  $this->checkvar($val,'string','','')[1];
    if($val == NULL || $val == "" || !isset($val))
        return $default_value;
    else
        return $val;
}

function checkvar($var,$varmode,$varfilter,$defultvar)
{
    if($var==null||$var==''){
        return [1,$defultvar];
    }else{
        $ttvar=$var;

        $var =strtolower($var);
        $tvar=$var;

        $var= preg_replace('~<script~', '<!--',$var);
        $var= preg_replace('~</script>~', '-->',$var);
        $var= preg_replace('~delete *from~', '',$var);
        $var= preg_replace('~drop *table~', '',$var);
        $var= preg_replace('~insert *into~', '',$var);
        $var= preg_replace('~or *1 *= *1~', '',$var);
        $var= preg_replace('~select *from~', '',$var);

        if($var!=$tvar){
            $query="INSERT INTO attack_tb( attack_ip, attack_text, attack_timestamp) VALUES
                        ( '".get_client_ip()."', '".$ttvar."', now() )";
            $CI = get_instance();
            $CI->load->model('B_db');
            $result=$CI->B_db->run_query($query);
        }else{
            $var=$ttvar;
        }
        $var=filter_var($var, FILTER_SANITIZE_STRING);

        if($varmode=='string')
        {
            if($varfilter==''){
                return [1,$var];
            }else if($varfilter=='email'){
                if(filter_var($var, FILTER_VALIDATE_EMAIL))
                {   return [1,$var];}else{  return [0,$var];}
            }else if($varfilter=='ip'){
                if(filter_var($var, FILTER_VALIDATE_IP))
                {return [1,$var];}else{ return [0,$var];}
            }
        }else if($varmode=='int'){
            if(is_numeric ($var)){
                return [1,$var];
            }else{
                return [0,$var];
            }
        }
    }
}

I have overwritten the post function in RestController like this to XSS cleaning and saving the XSS senders attempts to hack in attack table:

public function post($key = NULL, $default_value="" , $xss_clean = TRUE)
{
    if ($key === NULL)
    {
        return $this->_post_args;
    }
    $val =  $this->input->get_post($key, $xss_clean);
    if(!is_array($val))
        $val =  $this->checkvar($val,'string','','')[1];
    if($val == NULL || $val == "" || !isset($val))
        return $default_value;
    else
        return $val;
}

function checkvar($var,$varmode,$varfilter,$defultvar)
{
    if($var==null||$var==''){
        return [1,$defultvar];
    }else{
        $ttvar=$var;

        $var =strtolower($var);
        $tvar=$var;

        $var= preg_replace('~<script~', '<!--',$var);
        $var= preg_replace('~</script>~', '-->',$var);
        $var= preg_replace('~delete *from~', '',$var);
        $var= preg_replace('~drop *table~', '',$var);
        $var= preg_replace('~insert *into~', '',$var);
        $var= preg_replace('~or *1 *= *1~', '',$var);
        $var= preg_replace('~select *from~', '',$var);

        if($var!=$tvar){
            $query="INSERT INTO attack_tb( attack_ip, attack_text, attack_timestamp) VALUES
                        ( '".get_client_ip()."', '".$ttvar."', now() )";
            $CI = get_instance();
            $CI->load->model('B_db');
            $result=$CI->B_db->run_query($query);
        }else{
            $var=$ttvar;
        }
        $var=filter_var($var, FILTER_SANITIZE_STRING);

        if($varmode=='string')
        {
            if($varfilter==''){
                return [1,$var];
            }else if($varfilter=='email'){
                if(filter_var($var, FILTER_VALIDATE_EMAIL))
                {   return [1,$var];}else{  return [0,$var];}
            }else if($varfilter=='ip'){
                if(filter_var($var, FILTER_VALIDATE_IP))
                {return [1,$var];}else{ return [0,$var];}
            }
        }else if($varmode=='int'){
            if(is_numeric ($var)){
                return [1,$var];
            }else{
                return [0,$var];
            }
        }
    }
}
回复 原文
~没有更多了~

关于作者

心凉怎暖

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

饮湿

文章 0 评论 0

明月

文章 0 评论 0

02

文章 0 评论 0

hs1283

文章 0 评论 0

风向决定发型

文章 0 评论 0

落花浅忆

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文