*注意 - 这篇文章仅针对XSS攻击,而不是SQL注射,因为我们已经使用了准备的语句
,
我计划在XSS攻击方面过滤输出。到目前为止,我已经读到,UTF-8格式的网站的“推荐”方法是使用HTMLSpeCialChars()对每个相关的echo()或print()语句编码用户输入数据的每个输出(例如)。 (至少对于不需要处理包含html的用户输入数据的网站)
如如何使用html/php?和我如何用PHP消毒?
但是,在我正在处理的网站上打印了用户输入数据的情况太多,并且在许多文件/网页上传播。这将是一个庞大的项目,可以专门讨论每个相关的Echo()和print()语句。因此,我考虑过在用echo()或print()打印其字段之前,从后端检索到的整个用户输入数据对象进行迭代。例如,使用此辅助函数:
// helper function
function xss_recursive_object_iterator(&$object)
{
if ($object === null) {
return;
}
if (is_object($object) || is_array($object)) {
foreach ($object as $key => &$field) {
if (is_string($field)) {
$cleaned_field = htmlspecialchars($field, ENT_QUOTES, 'UTF-8');
// maybe additional operations for output encoding (but which)
// ...
$field = $cleaned_field;
} else if (is_array($field) || is_object($field)) {
recursive_object_iterator($field);
}
}
unset($field);
}
}
...
// clean object with user input data retrieved from backend with the above function
xss_recursive_object_iterator($user_data_object);
...
// output of user input strings from the XSS filtered object
echo($user_data_object->field_string1);
echo($user_data_object->field_string2);
...
而不是将其应用于每个echo()/print()字段
echo(htmlspecialchars($user_data_object->field_string1, ENT_QUOTES, 'UTF-8'));
echo(htmlspecialchars($user_data_object->field_string1, ENT_QUOTES, 'UTF-8'));
...
问题1 1
迭代对整个对象的迭代缺点是什么缺点,并将编码操作应用于上面所示的每个字段?这会留下任何XSS输出过滤问题吗?
问题2
,对于要在标签中打印的用户数据,我将使用 json_encode($ field_string,json_hex_quot | json_hex_tag | json_hex_hex_amp | json_hex_apos | json_hex_apos>
此外 ($ field_string)); ,
如 json> json:不管是安全的吗
?可以说该网站不会将用户输入集成到CSS中。
我是否已经缺少一个关键方面,或者到目前为止,除了在内容安全策略设置中额外的允许列表外,我在过滤XSS攻击方面是否很好?当然,我还将针对作弊表进行测试:,但也许有明显的东西。
例如,是否有更多的操作可以为我提供针对XSS攻击的额外安全性,例如strip_tags()或特定的正则运行?
问题3
在保存之前已经验证数据怎么样?
例如,利用filter_input_array,它会提供任何其他安全性,还是当我过滤XSS输出时,它是不必要的吗?
*note - this post is only about XSS attacks and not about SQL injections as we already use prepared statements
Hi all,
I plan to filter my output in regards to XSS attacks. So far, I have read that the "recommended" approach for websites in UTF-8 format is to use htmlspecialchars() to encode every output of user input data, e.g., for every relevant echo() or print() statement. (At least for websites that do not require handling user input data containing HTML)
As noted in How to prevent XSS with HTML/PHP? and How can I sanitize user input with PHP?
However, there are too many cases where user input data is being printed out on the site I'm working on, and it spreads over numerous files/web pages. It would be a mammoth project to specifically address every single related echo() and print() statement. Thus, I thought about iterating over the whole user input data object retrieved from the backend before printing out its fields with echo() or print(). For example, with this helper function:
// helper function
function xss_recursive_object_iterator(&$object)
{
if ($object === null) {
return;
}
if (is_object($object) || is_array($object)) {
foreach ($object as $key => &$field) {
if (is_string($field)) {
$cleaned_field = htmlspecialchars($field, ENT_QUOTES, 'UTF-8');
// maybe additional operations for output encoding (but which)
// ...
$field = $cleaned_field;
} else if (is_array($field) || is_object($field)) {
recursive_object_iterator($field);
}
}
unset($field);
}
}
...
// clean object with user input data retrieved from backend with the above function
xss_recursive_object_iterator($user_data_object);
...
// output of user input strings from the XSS filtered object
echo($user_data_object->field_string1);
echo($user_data_object->field_string2);
...
Instead of applying it on every single echo()/print() field
echo(htmlspecialchars($user_data_object->field_string1, ENT_QUOTES, 'UTF-8'));
echo(htmlspecialchars($user_data_object->field_string1, ENT_QUOTES, 'UTF-8'));
...
Question 1
What are the drawbacks of iterating over the whole object and applying the encoding operations to every field beforehand as shown above? Would this leave any xss output filtering issues open?
Question 2
Additionally for user data being printed inside tags I would use json_encode($field_string, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS);
And for dynamic URLs with user input I would use htmlspecialchars(urlencode($field_string));
As suggested in Json: PHP to JavaScript safe or not? and Does urlencode() protect against XSS
Lastly it is to say that the website does not integrate user input into CSS.
Is there already a crucial aspect I am missing, or am I good so far at filtering XSS attacks apart from an additional allowlist in the Content Security Policy settings? Of course, I will also test it against the cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html, but maybe there is something obvious.
For example, are there more operations missing that could provide me additional safety against XSS attacks in terms of output encoding, for example, strip_tags() or specific regex operations?
Question 3
What about already validating the data before saving?
For example leveraging filter_input_array, will it give any additional security, or is it unnecessary as I filter the output for XSS anyway?
发布评论
评论(1)
如果您不打算从用户输入中打印HTML代码,则应在将其持续到数据库之前对输入进行消毒,因此“问题3”是必经之路。
filter_input_array默认情况下对所有输入进行消毒。如果您仍然在数据库中存储的危险用户输入,则使用模板引擎,该引擎会自动对输出进行消毒或编写自己的功能,例如
在所有对象属性上进行迭代,也会产生不必要的负载,因为即使是未打印的字段也是编码的。
If you do not intend to print html code from user input in general you should sanitize input before persisting it to database so "Question 3" is the way to go.
filter_input_arrayby default sanitizes all input.If you still have dangerous user input stored in your database either use a template engine which automatically will sanitize output or write your own function like
Iterating over all object properties would produce unnecessary load because even fields that are not printed are encoded.