sanitization

问题 This question already has answers here : How to prevent XSS with HTML/PHP? (10 answers) Sanitizing HTML input (4 answers) Closed 6 years ago . I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML. This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.)

问题 I would like to remove vulnerabilities to XSS / JavaScript injection in a web application where users are allowed to use an editor like CKEditor which allows arbitrary HTML (and whether my specific choice of editor allows arbitrary HTML or not, blackhats will be able to submit arbitrary HTML anyway). So no JavaScript, whether SCRIPT tags, ONCLICK and family, or whatever else. The target platform is Python and Django. What are my best options here? I am open to an implementation that would

问题 Here's the vimeo url code. <object width="40" height="300"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=9082619&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=9082619&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash"

问题 I'm struggling to sanitize a raw SQL query in which the WHERE conditions may either have a value or be NULL. I was hoping to use Active Record's built-in sanitizers... ( NOTE: I'll be using a simplified query for demo purposes- our real one is a complex UNION across different model types that would be hard to do with the AR query interface) Try 1: raw_query = "SELECT * FROM folders WHERE user_id = ? AND parent_id = ?" sanitized_query = ActiveRecord::Base.send(:sanitize_sql_array, [raw_query,

问题 This is related to a previous question, here: Converting a \u escaped Unicode string to ASCII I proposed a solution involving eval(parse(text=x)) , which for non-R users, means what it says: parsing the text string, then evaluating it. The aim was not to allow arbitrary code to be executed, but only to un-escape escaped Unicode text. Hence the solution: eval(parse(text=paste0("'", x, "'"))) While this should be fairly safe given the restricted objective, I'd be interested to know: how much

问题 I read from the cookbook (sec. 4.2) CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display. So are we sure that we NEVER need to manually sanitize user data against SQL, provided we restrict to methods such as find() and

问题 Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection? 回答1: SQL injection and Cross-Site Scripting (a.k.a. XSS or Script Injection) are different problems. 1) SQL Injection is very easy, always use parametrized queries (SQLParameter) and try really hard to NEVER do sp_exec @query within T-SQL stored procedures. .Net parametrized queries will not protect against this second order injection. 2) XSS is more difficult to universally

问题 Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection? 回答1: SQL injection and Cross-Site Scripting (a.k.a. XSS or Script Injection) are different problems. 1) SQL Injection is very easy, always use parametrized queries (SQLParameter) and try really hard to NEVER do sp_exec @query within T-SQL stored procedures. .Net parametrized queries will not protect against this second order injection. 2) XSS is more difficult to universally

问题 I use this: function safeClean($n) { $n = trim($n); if(get_magic_quotes_gpc()) { $n = stripslashes($n); } $n = mysql_escape_string($n); $n = htmlentities($n); return $n; } To prevent any type of MySQL injection or anything like that. Whenever I use it to wrap around $_POST like this: $username = safeClean($_POST['user']); $password = md5(safeClean($_POST['password'])); $vpassword = md5(safeClean($_POST['verify'])); $email = safeClean($_POST['email']); It doesn't even work, but I have attached

问题 When receiving user input on forms I want to detect whether fields like "username" or "address" does not contain markup that has a special meaning in XML (RSS feeds) or (X)HTML (when displayed). So which of these is the correct way to detect whether the input entered doesn't contain any special characters in HTML and XML context? if (mb_strpos($data, '<') === FALSE AND mb_strpos($data, '>') === FALSE) or if (htmlspecialchars($data, ENT_NOQUOTES, 'UTF-8') === $data) or if (preg_match("/[^\p{L}