What are the best practices for avoiding xss attacks in a PHP site

前端 未结 20 2357
佛祖请我去吃肉
佛祖请我去吃肉 2020-11-22 02:34

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derive

相关标签:
20条回答
  • 2020-11-22 03:11

    I'm of the opinion that one shouldn't escape anything during input, only on output. Since (most of the time) you can not assume that you know where that data is going. Example, if you have form that takes data that later on appears in an email that you send out, you need different escaping (otherwise a malicious user could rewrite your email-headers).

    In other words, you can only escape at the very last moment the data is "leaving" your application:

    • List item
    • Write to XML file, escape for XML
    • Write to DB, escape (for that particular DBMS)
    • Write email, escape for emails
    • etc

    To go short:

    1. You don't know where your data is going
    2. Data might actually end up in more than one place, needing different escaping mechanism's BUT NOT BOTH
    3. Data escaped for the wrong target is really not nice. (E.g. get an email with the subject "Go to Tommy\'s bar".)

    Esp #3 will occur if you escape data at the input layer (or you need to de-escape it again, etc).

    PS: I'll second the advice for not using magic_quotes, those are pure evil!

    0 讨论(0)
  • 2020-11-22 03:11

    I rely on PHPTAL for that.

    Unlike Smarty and plain PHP, it escapes all output by default. This is a big win for security, because your site won't become vurnelable if you forget htmlspecialchars() or |escape somewhere.

    XSS is HTML-specific attack, so HTML output is the right place to prevent it. You should not try pre-filtering data in the database, because you could need to output data to another medium which doesn't accept HTML, but has its own risks.

    0 讨论(0)
  • 2020-11-22 03:13

    I find that using this function helps to strip out a lot of possible xss attacks: http://www.codebelay.com/killxss.phps

    0 讨论(0)
  • 2020-11-22 03:14

    Use an existing user-input sanitization library to clean all user-input. Unless you put a lot of effort into it, implementing it yourself will never work as well.

    0 讨论(0)
  • 2020-11-22 03:15

    Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:'htmlall' modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above).

    My approach to input/output security is:

    • store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
    • escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)
    0 讨论(0)
  • 2020-11-22 03:16
    • Don't trust user input
    • Escape all free-text output
    • Don't use magic_quotes; see if there's a DBMS-specfic variant, or use PDO
    • Consider using HTTP-only cookies where possible to avoid any malicious script being able to hijack a session
    0 讨论(0)
提交回复
热议问题