sanitization

问题 I am programming a blog and I want the URIs to be the title like the question title here in stackoverflow or like wordpress. What are the rules for sanitizing a URI? Is there an already made code in PHP that does this? Thanks in advance, Omer 回答1: Many CMS's have implemented something like that, the one of Wordpress has been posted in another question. You might be interested in the question about this technique in general, too. 回答2: This might be the shortest way to replace any non

问题 I'm trying to sanitize any data that's inputted by making sure the data is valid for a particular field (e.g. a name can't contain special characters/numbers etc..) However, I'm not sure what to do when it comes to a password field. Would I even need to bother with any sanitization as the password is simply hashed? If the user was to inject anything malicious via the password textbox, should I bother checking for anything suspicious? AFAIK, some users may (should!) have special characters

问题 Is there a way to safely sanitize path input, without using realpath() ? Aim is to prevent malicious inputs like ../../../../../path/to/file $handle = fopen($path . '/' . $filename, 'r'); 回答1: Not sure why you wouldn't want to use realpath but path name sanitisation is a very simple concept, along the following lines: If the path is relative (does not start with / ), prefix it with the current working directory and / , making it an absolute path. Replace all sequences of more than one / with

问题 I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following. $page = $_GET['page']; if(!strpos(strtolower($page), 'http') || !strpos($page, '/') || !strpos($page, '\\') || !strpos($page, '..')) { //append "

问题 I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters. The sheer number of options available for HTML Purifier is daunting and, as far as i can see, the docs do not seem to have a beggining/middle or end see: http://htmlpurifier.org/docs Is there a simple hello world tutorial online for HTML

问题 I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks. I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site"). Is there anything as simple to use as InputFilter in PHP? Perfect solution I can imagine works like that (assume sanitizer is encapsulated in HtmlSanitizer class): String unsanitized = "...<...>..."; //

问题 I'm looking for a simple PHP library that helps filter XSS vulnerabilities in PHP Markdown output. I.E. PHP Markdown will parse things such as: [XSS Vulnerability](javascript:alert('xss')) I've been doing some reading around and the best I've found on the subject here was this question. Although HTML Purifier looks like the best ( nearly only ) solution I was wondering if there was anything out there more general? HTML Purifier seems to be a bit robust especially for my needs, as well as a

问题 I am trying to render base64 string into <img src='data:image/png;base64,${Here}' . But always when I try to render it, ng2 sanitizing my base64 string before rendering it adds something into my value before showing it in DOM. I have found workaround(using DomSanitizer) but it doesn't work on latest versions. Here is my markup: <img alt="RegularImage" src="data:image/png;base64,{{imgBase64}}"> And here is my component part: imgBase64="SomeBase64StringFetchedSomehow"; But angular2 is showing

问题 I am trying to render base64 string into <img src='data:image/png;base64,${Here}' . But always when I try to render it, ng2 sanitizing my base64 string before rendering it adds something into my value before showing it in DOM. I have found workaround(using DomSanitizer) but it doesn't work on latest versions. Here is my markup: <img alt="RegularImage" src="data:image/png;base64,{{imgBase64}}"> And here is my component part: imgBase64="SomeBase64StringFetchedSomehow"; But angular2 is showing

问题 How do you sanitize data in $_GET -variables by PHP? I sanitize only one variable in GET by strip_tags . I am not sure whether I should sanitize everything or not, because last time in putting data to Postgres, the problem was most easily solved by the use of pg_prepare . 回答1: How do you sanitize data in $_GET -variables by PHP? You do not sanitize data in $_GET. This is a common approach in PHP scripts, but it's completely wrong*. All your variables should stay in plain text form until the