在 Yii 中净化 html 字符串
Purify html string in Yii
我正在尝试净化字符串以防止 XSS 攻击,但如果字符串没有脚本标签但具有 html 属性,则该字符串不会净化。
示例:
$str = 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74';
$purifier = new CHtmlPurifier();
var_dump(
$str,
$purifier->purify($str)
);
结果:
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
是的,因为该字符串是有效的无 XSS HTML。如果您打算在属性中使用它,要净化它,您可以使用 HTML 净化器的内部 AttrDef 类 手动净化它。对于 URL,您可能需要 HTMLPurifier_AttrDef_URI:
$def = new HTMLPurifier_AttrDef_URI();
$config = HTMLPurifier_Config::default();
$context = new HTMLPurifier_Context();
$pure_url = $def->validate($your_url, $config, $context);
我正在尝试净化字符串以防止 XSS 攻击,但如果字符串没有脚本标签但具有 html 属性,则该字符串不会净化。
示例:
$str = 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74';
$purifier = new CHtmlPurifier();
var_dump(
$str,
$purifier->purify($str)
);
结果:
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
是的,因为该字符串是有效的无 XSS HTML。如果您打算在属性中使用它,要净化它,您可以使用 HTML 净化器的内部 AttrDef 类 手动净化它。对于 URL,您可能需要 HTMLPurifier_AttrDef_URI:
$def = new HTMLPurifier_AttrDef_URI();
$config = HTMLPurifier_Config::default();
$context = new HTMLPurifier_Context();
$pure_url = $def->validate($your_url, $config, $context);