现在的富文本编辑器,都有xss注入漏洞,想请教一下,如何防止xss注入?markdown编辑器先不考虑
服务器端清除xss攻击
1
| string htmlentities ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = "UTF-8" [, bool $double_encode = true ]]] )
|
例子:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| <?php
$str = "A 'quote' is <b>bold</b>" ;
echo htmlentities ( $str );
echo htmlentities ( $str , ENT_QUOTES );
?>
``````php
<?php
$str = "\x8F!!!" ;
echo htmlentities ( $str , ENT_QUOTES , "UTF-8" );
echo htmlentities ( $str , ENT_QUOTES | ENT_IGNORE , "UTF-8" );
?>
``````php
string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = "UTF-8" [, bool $double_encode = true ]]] )
``````php
<?php
$new = htmlspecialchars ( "<a href='test'>Test</a>" , ENT_QUOTES );
echo $new ;
?>
|
还原显示可以使用htmlspecialchars_decode、html_entity_decode
1
| string htmlspecialchars_decode ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 ] )
|
1
2
3
4
5
6
7
8
| <?php
$str = "<p>this -> "</p>\n" ;
echo htmlspecialchars_decode ( $str );
echo htmlspecialchars_decode ( $str , ENT_NOQUOTES );
?>
|
以上过程会输出
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <p>this -> "</p>
<p>this -> "</p>
``````php
string html_entity_decode ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = "UTF-8" ]] )
``````php
<?php
$orig = "I'll \"walk\" the <b>dog</b> now" ;
$a = htmlentities ( $orig );
$b = html_entity_decode ( $a );
echo $a ; // I'll "walk" the <b>dog</b> now
echo $b ; // I'll "walk" the <b>dog</b> now
?>
|