XSS:json_encode()在PHP中使用或不带HTMSpecialChars()
我已经看到了多个帖子/示例,其中json_encode()在htmlspecialchars()中使用,以防止XSS在HTML中使用JavaScript中使用PHP时。尽管如此,我还看到了只有json_encode()就足够的示例。例如:
// already sufficient?
<script type="application/json">
<? echo json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS); ?>
</script>
// overkill?
<script type="application/json">
<? echo htmlspecialchars(json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS), ENT_QUOTES, 'UTF-8')); ?>
</script>
如下所述:
?
在上面的这种情况下,HTMLSpeceialChars()是否有其他保护?如果是这样,返回的设备json_encode(htmlspecialchars());而不是htmlspeceialchars(json_encode());也可以使用吗? (当我应用htmlSpeceialChars()之前,在用户数据对象的所有字符串上,并且将应用json_encode()稍后仅适用于脚本标签中嵌入的字符串。)
其他问题:
i :i在我所有包含用户数据的输出字符串上使用htmlspecialchars($ value,ent_quotes,'utf-8');。我的网站节省了广泛的用户数据,这些数据与包含电子邮件,URL,特殊字符等的字符串不同,
除了HTML标签之外,这是否会破坏其他格式并扭曲最终用户的正确显示?我应该将重点放在重点的情况下吗?
例如,我看到在处理将放置在URL中的不安全变量时,应使用urlencode(),但这在我的情况下不相关,因为我只保存用户提供的完整静态URL。但是htmlspecialchars()会影响破坏这些静态网址吗?
谢谢您的宝贵时间!
I have seen multiple posts/examples where json_encode() is used within htmlspecialchars() to prevent XSS when using PHP in JavaScript embedded in HTML. Still, I have also seen examples where only json_encode() is seen to be sufficient. For example:
// already sufficient?
<script type="application/json">
<? echo json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS); ?>
</script>
// overkill?
<script type="application/json">
<? echo htmlspecialchars(json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS), ENT_QUOTES, 'UTF-8')); ?>
</script>
As discussed in:
When used correctly, is htmlspecialchars sufficient for protection against all XSS?
Is json_encode Sufficient XSS Protection?
Json: PHP to JavaScript safe or not?
Is there any additional protection htmlspecialchars() would provide in this case above? And if so, would the reverted appliance json_encode(htmlspecialchars()); instead of htmlspecialchars(json_encode()); also work? (As I apply htmlspecialchars() on all strings of the user data object beforehand and would apply json_encode() later only for strings embedded in script tags.)
Additional Question:
I use htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); on all of my output strings containing user data. And my website saves extensive user data varying from strings containing emails, URLs, special characters, e.t.c.
Apart from HTML tags, will this break any other format and distort the correct display for the end-user? Are there specific occurrences on which I should put my focus?
For example, I saw that urlencode() should be used when handling unsafe variables that will be placed within an URL, but this is not relevant in my case as I only save complete static URLs provided by users. But could htmlspecialchars() affect breaking these static URLs?
Thank you for your time!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论