sanitization

问题 I would like to read in a string from an input file (which may or may not have been modified by the user). I would like to treat this string as a format directive to be called with a fixed number of arguments. However, I understand that some format directives (particularly, the ~/ comes to mind) could potentially be used to inject function calls, making this approach inherently unsafe. When using read to parse data in Common Lisp, the language provides the *read-eval* dynamic variable which

问题 This is more of a "can you please confirm this is correct" type of question, as I think I resolved it in the process of writing the question but hopefully it will be of help to other people who are a bit hesitant when it comes to implementing DOMPurify. Short Version Is it safe/valid to import and use DOMPurify like this in frontend js file: npm install dompurify --save import DOMPurify from 'dompurify'; var clean = DOMPurify.sanitize('<img src=x onerror=alert(1)//>', {SAFE_FOR_JQUERY: true})

问题 I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't. What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions? 回答1: Probably the deal is about Zend_Controller_Request vs the Zend_Db . Request data are often put into the DB. Request object does not escape anything. You may force it to do using filters, form filters or

问题 What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: Best way to defend against mysql injection and cross site scripting 回答1: You should be using parameterized queries (so by extension, a DB interface library that supports parameterized queries) so that SQL injection can't happen. 回答2: If you're talking about data

问题 There is a Node.js project that sanitizes data and there is an OWASP library for JavaScript that handles sanitization to prevent XSS. I have been benchmarking these libraries, and they are pretty intensive and maybe an overkill, my application does not need any dynamic HTML (submitted by users, bbtags or what ever, not required at all) so why not do it like this: Disable " < " and " > " characters, don't replace them or anything, just disable them, if the user submits these, give them a

问题 I am using php 5.4.4 running as UTF-8, and im not sure if I am using htmlspecialchars right. My strings / vars look like this: $text = "<p><span class='clx'>By:</span> ".htmlspecialchars($foo)."</span></p>"; echo $text; Do I have need to use ENT_QUOTES or is that only necessary when I have to echo something inside eg: href="$foo" or id='$foo' ? Atm, om only using htmlspecialchars inside closed html tags and not attributes. Just concatenate the var inside the string within a <p> tag and a </p>

问题 I'm working on a database driven site which is using normal database methods rather than prepared statements. Because of this I have to sanitise POST and GET variables when passed to a form action PHP script. There is a sanitise method defined which attempts to sanitise the user input as best as possible but I am trying to cut down the code that tests for the POST and GET variable's existence and the code for defining variables with default values if they don't exist. This is what I came up

问题 Assume we have a website that asks the user for his name. The website then stores this value in a cookie, and on the next page, retrieves it via PHP and uses it somehow (perhaps the page displays the name as text). Could a user modify the cookie data to inject malicious code? Should cookie data be sanitized as it's retrieved by the script? (This is a hypothetical scenario. Obviously a cookie wouldn't be necessary here.) 回答1: Could a user modify the cookie data to inject malicious code? Should

问题 CakePHP has a global function called h. It's a convenience method for htmlspecialchars . CakePHP also has a utility called Sanitize, which has a method called html. Here is part of its description: This method prepares user-submitted data for display inside HTML. This is especially useful if you don’t want users to be able to break your layouts or insert images or scripts inside of your HTML pages. When should each be used? Is one better than the other? 回答1: Sanitize::html() is more versatile

问题 The goal of this regex is to remove punctuation characters: var myTxt = "Welcome, Visitor: The Royal Kingdom Of Báenou"; myTxt = myTxt.replace(/[^a-zA-Z0-9 ]+/g, '').replace('/ {2,}/',' '); alert(myTxt); So the text above should become this: Welcome Visitor The Royal Kingdom Of Báenou But instead it incorrectly drops the á in Báenou to produce this: Welcome Visitor The Royal Kingdom Of Benou What's the simplest change I could make to the regex to make it work as intended? 回答1: Your problem is