Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say
$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);
I want to know of the
strip_tags()is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.And also say i input
javascript:void(document.bgColor="blue")in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.
Thanks.
Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say
$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);
I want to know of the
strip_tags()is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.And also say i input
javascript:void(document.bgColor="blue")in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.
Thanks.
Share Improve this question asked Jul 27, 2017 at 19:44 diagolddiagold 4752 gold badges7 silver badges32 bronze badges 2-
Using the
filter_input()andfilter_input_array()functions are typically the better approach. You should pletely avoid using the superglobals$_GETand$_POST, etc, – Octopus Commented Jul 27, 2017 at 19:47 - Not even famous websites have that strong protection. Facebook has a good protection, and it still can call function, depending on browser ofc – Djordje Vujicic Commented Jul 27, 2017 at 19:54
4 Answers
Reset to default 3i suggest to use htmlspecialchars when ever you want to output something to browser
echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
checkout this
For question 2, I'm not sure if that's even possible to prevent. It's not something I've ever considered before. It sounds like you're trying to prevent executing any javascript that wasn't included by you on the page, which would also mean blocking the devtools in the browser from executing anything in the console. This could potentially be hostile to your users, e.g. if they wanted to use a bookmarklet from Instapaper.
For 1, ultimately your goal is to avoid including this injected javascript from the form when you generate a new page. When you output the data from the form, you can wrap it in htmlspecialchars.
It's depend which output you are trying to get.
In some cases , you'll want to leave the HTML tags including script tags ,but you want that those elements will not run when you output them, in that case you should use htmlspecialchars($_POST['data']), (It's suggested to define also utf8 as the third parameter).
But if you want to remove entierly the tags than strip_tags will prevent XSS
One function cannot fully protect you from script injection. Consider the following program:
<?php
if(isset($_POST['height']))
$height=htmlspecialchars($_POST['height'], ENT_QUOTES, 'UTF-8');
else $height=200;
if(isset($_POST['width']))
$height=htmlspecialchars($_POST['width'], ENT_QUOTES, 'UTF-8');
else $width=300;
echo("
<!DOCTYPE html>
<html>
<body>
<iframe src='whatever' height=$height width=$width>
</iframe>
</body>
</html>
");
The input is sanitized, but javascript will still be executed through a simple injection vector like:
300 onload=alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))
You still need to quote your attributes or you are vulnerable like this example.
Another semi-mon injection vector exists when user input is echoed into javascript ments, and you can inject new lines or close the ment. I blame it on the 'this shit doesn't work as it should, but let's keep it around in a ment'-style of development.
Note: The XSS protection of many browsers will not run my simple example. If you want to try it use one without protection, or find a vector that defeats it (not sure if there is one for e.g. Chrome).
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745598108a4635237.html
评论列表(0条)