This question already has an answer here:
这个问题在这里已有答案:
- Best way to handle security and avoid XSS with user entered URLs 8 answers
- 处理安全性和避免XSS与用户输入的URL 8答案的最佳方法
I want to store users' personal urls as plain text, encoded by htmlspecialchars().
我希望将用户的个人网址存储为纯文本,由htmlspecialchars()编码。
Then I would retrieve this data and generate and display a link, as follows:
然后我将检索此数据并生成并显示一个链接,如下所示:
echo '<a href="'.$retrieved_string.'" target="_blank">';
And yet, even with encoded special chars and quotes, the href may not be safe, due to the potentially inserted javascript, example of a bad link:
然而,即使使用编码的特殊字符和引号,由于可能插入的javascript,错误链接的示例,href可能不安全:
javascript:alert(document.cookie);
So what I'm thinking is to strip up for a potential 'javascript' tag (before I do the special chars encode of course), as follows:
所以我想的是剥离潜在的'javascript'标签(当然我在进行特殊字符编码之前),如下所示:
preg_replace('/^javascript:?/', '', $submitted_and_trimmed_input);
So let us sum it up altogether:
所以让我们完全总结一下:
$input=htmlspecialchars(preg_replace('/^javascript:?/', '', trim($_POST['link'])),11,'UTF-8',true);
mysql_query("update users set link='".mysql_real_escape_string($input)."'");
//And retrieving:
$query=mysql_query("select link from users");
$a=mysql_fetch_assoc($query);
echo '<a href="'.$a['link'].'" target="_blank">';
Now the question is, would it be enough to an url link safe, or is there any other potential surprises I should be alert against?
现在的问题是,网址链接是否足够安全,或者是否还有其他潜在的意外我应该警惕?
EDIT:
编辑:
I've read a bit about filter_var() and it seems to utterly fail in many ways. It doesn't validate international domains with unicode chars, then again the following string successfully passes the test:
我已经阅读了一些关于filter_var()的内容,它似乎在很多方面完全失败了。它不会使用unicode字符验证国际域,然后以下字符串再次成功通过测试:
http://example.com/"><script>alert(document.cookie)</script>
- I mean common... that's just rediculous, there must be a better way
- 我的意思是共同的...那只是一种荒谬的,必须有更好的方法
2 个解决方案
#1
9
Try using filter_var()
尝试使用filter_var()
filter_var('http://example.com', FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED)
#2
-2
This is how I'm gonna do it. It looks to me the best way is to prepend it with http:
这就是我要做的。在我看来,最好的方法是在http前加上它:
$link=preg_replace('/^(http(s)?)?:?\/*/u','http$2://',trim($_POST['website']));
So even if a script gets there I couldn't care less. Then actually convert chars:
因此,即使脚本到达那里我也不在乎。然后实际转换字符:
$link= htmlspecialchars($link, 11,'UTF-8',true);
That's it. No beating around the bush, and should be utf-8 compat also.
而已。没有在灌木丛周围跳动,也应该是utf-8 compat。
#1
9
Try using filter_var()
尝试使用filter_var()
filter_var('http://example.com', FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED)
#2
-2
This is how I'm gonna do it. It looks to me the best way is to prepend it with http:
这就是我要做的。在我看来,最好的方法是在http前加上它:
$link=preg_replace('/^(http(s)?)?:?\/*/u','http$2://',trim($_POST['website']));
So even if a script gets there I couldn't care less. Then actually convert chars:
因此,即使脚本到达那里我也不在乎。然后实际转换字符:
$link= htmlspecialchars($link, 11,'UTF-8',true);
That's it. No beating around the bush, and should be utf-8 compat also.
而已。没有在灌木丛周围跳动,也应该是utf-8 compat。