What are the best practices for avoiding xss attacks in a PHP site

前端 未结 20 2355
佛祖请我去吃肉
佛祖请我去吃肉 2020-11-22 02:34

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derive

20条回答
  •  北恋
    北恋 (楼主)
    2020-11-22 03:24

    The best current method for preventing XSS in a PHP application is HTML Purifier (http://htmlpurifier.org/). One minor drawback to it is that it's a rather large library and is best used with an op code cache like APC. You would use this in any place where untrusted content is being outputted to the screen. It is much more thorough that htmlentities, htmlspecialchars, filter_input, filter_var, strip_tags, etc.

提交回复
热议问题