发表新帖
发表新帖

What are the best practices for avoiding xss attacks in a PHP site

前端 未结
关注
20 2330
佛祖请我去吃肉
佛祖请我去吃肉 2020-11-22 02:34

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derive

相关标签:
20条回答
  • 不思量自难忘°
    2020-11-22 03:11

    I'm of the opinion that one shouldn't escape anything during input, only on output. Since (most of the time) you can not assume that you know where that data is going. Example, if you have form that takes data that later on appears in an email that you send out, you need different escaping (otherwise a malicious user could rewrite your email-headers).

    In other words, you can only escape at the very last moment the data is "leaving" your application:

    • List item
    • Write to XML file, escape for XML
    • Write to DB, escape (for that particular DBMS)
    • Write email, escape for emails
    • etc

    To go short:

    1. You don't know where your data is going
    2. Data might actually end up in more than one place, needing different escaping mechanism's BUT NOT BOTH
    3. Data escaped for the wrong target is really not nice. (E.g. get an email with the subject "Go to Tommy\'s bar".)

    Esp #3 will occur if you escape data at the input layer (or you need to de-escape it again, etc).

    PS: I'll second the advice for not using magic_quotes, those are pure evil!

    0 讨论(0)
  • 陌清茗
    2020-11-22 03:11

    I rely on PHPTAL for that.

    Unlike Smarty and plain PHP, it escapes all output by default. This is a big win for security, because your site won't become vurnelable if you forget htmlspecialchars() or |escape somewhere.

    XSS is HTML-specific attack, so HTML output is the right place to prevent it. You should not try pre-filtering data in the database, because you could need to output data to another medium which doesn't accept HTML, but has its own risks.

    0 讨论(0)
  • 北恋
    2020-11-22 03:13

    I find that using this function helps to strip out a lot of possible xss attacks: http://www.codebelay.com/killxss.phps

    0 讨论(0)
  • 情话喂你
    2020-11-22 03:14

    Use an existing user-input sanitization library to clean all user-input. Unless you put a lot of effort into it, implementing it yourself will never work as well.

    0 讨论(0)
  • 天命终不由人
    2020-11-22 03:15

    Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:'htmlall' modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above).

    My approach to input/output security is:

    • store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
    • escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)
    0 讨论(0)
  • 滥情空心
    2020-11-22 03:16
    • Don't trust user input
    • Escape all free-text output
    • Don't use magic_quotes; see if there's a DBMS-specfic variant, or use PDO
    • Consider using HTTP-only cookies where possible to avoid any malicious script being able to hijack a session
    0 讨论(0)
 看不清?
提交回复
热议问题