xss

问题 Can I use ActionView::Helpers::SanitizeHelper#sanitize on user-entered text that I plan on showing to other users? E.g., will it properly handle all cases described on this site? Also, the documentation mentions: Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers. What's the best way to handle this?

问题 I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars. thanks a lot :) 回答1: You will need to explicitly specify proper encoding (e.g: utf-8), Chris had a post on how to inject code even calling htmlentities without appropriate encoding. http://shiflett.org/blog/2005/dec/google-xss-example 回答2: It is not bullet-proof, it never saves you 100%. You must remember that when it comes to security,

问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 11 months ago . I'm looking for a complete list of security guidelines for programming and deploying PHP web sites and applications on an Apache (Linux) server. Basically, a "security check list" to run through before finishing a project. I.e., Cross Site Scripting Cross Site Request Forgery Sanitize form data that goes into

问题 I've been hunting around the net now for a few days trying to figure this out but getting conflicting answers. Is there a library, class or function for PHP that securely sanitizes/encodes a string against XSS? It needs to be updated regularly to counter new attacks. I have a few use cases: Use case 1) I have a plain text field, say for a First Name or Last Name User enters text into field and submits the form Before this is saved to the database I want to a) trim any whitespace off the front

问题 I've been hunting around the net now for a few days trying to figure this out but getting conflicting answers. Is there a library, class or function for PHP that securely sanitizes/encodes a string against XSS? It needs to be updated regularly to counter new attacks. I have a few use cases: Use case 1) I have a plain text field, say for a First Name or Last Name User enters text into field and submits the form Before this is saved to the database I want to a) trim any whitespace off the front

问题 i create my new site. Now i learn and use Symfony. I have few questions. Why default Symfony allow add HTML tags to database? For example i create new module, i go to module/new, in title i enter <strong>test</strong> and next save it. In database MySQL i have <strong>test</strong> . Is it safe? I know - if i use simply $test->getTitle() then this render text <strong>test</strong> , but what if i would like add for user comments WYSYWIG and use RawValue()? Users can not close tags </strong>

问题 I built a dice roller here: http://howderek.com/projects/diediedie/ and I wanted to implement math so that my users could preform mathmatical operations to their rolls, which is useful for RPGs. Instead of building a function to handle the math, or using a library like math.js , I figured that since JavaScript has math built in, this might be a good use for eval() . The reason I am concerned with the eval() however, is that appending ?q=whatever to the url of DieDieDie enters whatever into

问题 I am a newbie, just to be clear. I hear a lot about escaping data to prevent XSS attacks. How do I actually do that? This is what I am doing currently - $s = mysqli_real_escape_string($connect,$_POST['name'])); Is this enough? Thanks 回答1: If you output the data to html you should use htmlspecialchars() else, if you're storing the data in a database you should escape strings using mysqli_real_escape_string() and cast numbers (or use prepared statements for both) and protect identifiers

问题 I have a page thusly: <html> <head></head> <body> <iframe src="local.html"></iframe> <iframe src="http://www.google.com"></iframe> </body> </html> I've used the DOM to access the first iframe as a test (node.documentWindow) but when I try similar on the external iframe Firebug reports that access is denied. I suspect this is for XSS protection, but is there a "safe" way to import the node so I can grab an element from that external page? Is there a way to explore the "document as rendered" or

问题 Questions: What are the best safe1(), safe2(), safe3(), and safe4() functions to avoid XSS for UTF8 encoded pages? Is it also safe in all browsers (specifically IE6)? <body><?php echo safe1($xss)?></body> <body id="<?php echo safe2($xss)?>"></body> <script type="text/javascript"> var a = "<?php echo safe3($xss)?>"; </script> <style type="text/css"> .myclass {width:<?php echo safe4($xss)?>} </style> . Many people say the absolute best that can be done is: // safe1 & safe2 $s = htmlentities($s,