php 当涉及 XSS 时,htmlspecialchars 与 htmlentities
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3623236/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
htmlspecialchars vs htmlentities when concerned with XSS
提问by stuckinphp
I have seen a lot of conflicting answers about this. Many people love to quote that php functions alone will not protect you from xss.
我已经看到很多关于这个的相互矛盾的答案。许多人喜欢引用单独的 php 函数并不能保护您免受 xss 的侵害。
What XSS exactly can make it through htmlspecialchars and what can make it through htmlentities?
究竟什么 XSS 可以通过 htmlspecialchars 实现,什么可以通过 htmlentities 实现?
I understand the difference between the functions but not the different levels of xss protection you are left with. Could anyone explain?
我了解功能之间的差异,但不了解您所拥有的不同级别的 xss 保护。谁能解释一下?
回答by Theodore R. Smith
htmlspecialchars() will NOT protect you against UTF-7 XSS exploits, that still plague Internet Explorer, even in IE 9: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/
htmlspecialchars() 不会保护您免受 UTF-7 XSS 攻击,即使在 IE 9 中,它仍然困扰着 Internet Explorer:http: //securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using -本地重定向/
For instance:
例如:
<?php
$_GET['password'] = 'asdf&ddddd"fancy?quotes?';
echo htmlspecialchars($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: ???asdf&ddddd"fancy?
echo htmlentities($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&ddddd"fancyËquotes
You should always use htmlentities and very rarely use htmlspecialchars when sanitizing user input. ALso, you should alwaysstrip tags before. And for really important and secure sites, you should NEVERtrust strip_tags(). Use HTMLPurifier for PHP.
在清理用户输入时,您应该始终使用 htmlentities 并且很少使用 htmlspecialchars。此外,您应该始终先去除标签。对于真正重要和安全的站点,您永远不应该信任 strip_tags()。为 PHP使用HTMLPurifier。
回答by SilverlightFox
If PHP's headercommand is used to set the charset
如果使用 PHP 的header命令设置字符集
header('Content-Type: text/html; charset=utf-8');
then htmlspecialcharsand htmlentitiesshould both be safe for output of HTML because XSScannot then be achieved using UTF-7 encodings.
thenhtmlspecialchars并且htmlentities对于 HTML 的输出都应该是安全的,因为使用 UTF-7 编码无法实现XSS。
Please note that these functions should not be used for output of values into JavaScript or CSS, because it would be possible to enter characters that enable the JavaScript or CSS to be escaped and put your site at risk. Please see the XSS Prevention Cheat Sheeton how to appropriately handle these situations.
请注意,这些函数不应用于将值输出到 JavaScript 或 CSS,因为输入的字符可能会使 JavaScript 或 CSS 被转义,从而使您的站点处于危险之中。有关如何适当处理这些情况,请参阅XSS 预防备忘单。
回答by Jonny5 Alive
I'm not sure if you have found the answer you were looking for, but, I am also looking for an HTML cleaner. I have an application I am building and want to be able to take HTML code, possibly even Javascript, or other languages and put them into a MySQL DB without causing issues nor allowing for XSS issues. I've found HTML Purifierand it appears to be the most developed and still maintained tool for cleaning up user submitted information on a PHP system. The page linked is their compairison page which can yield reasoning as to why their's or another tool could be useful. Hope this helps!
我不确定您是否找到了您正在寻找的答案,但是,我也在寻找 HTML 清洁器。我有一个正在构建的应用程序,希望能够采用 HTML 代码,甚至可能是 Javascript 或其他语言,并将它们放入 MySQL 数据库中,而不会导致问题,也不会出现 XSS 问题。我找到了HTML Purifier,它似乎是最开发和维护最完善的工具,用于在 PHP 系统上清理用户提交的信息。链接的页面是他们的比较页面,可以推断出为什么他们的或其他工具可能有用。希望这可以帮助!
