问题描述
我在iframe上编写WYSIWYG编辑器宽度designMode =on。编辑器工作正常,我将代码原样保存在数据库中。
在输出html之前,我需要在服务器端用php清理,以避免跨站脚本和其他可怕的事情。有没有关于如何做到这一点的最佳做法?哪些标签可能很危险?
更新:错字固定,它是你所看到的是你得到的。没有新的:)
最好的做法是只允许你知道的某些东西不危险,并且删除/其余的部分。请参阅来讨论这个问题(该库适用于Java,但是这些原则适用于任何语言)。
I'm coding a WYSIWYG editor width designMode="on" on a iframe. The editor works fine and i store the code as is in the database.
Before outputing the html i need to "clean" with php on the server-side to avoid cross-site-scripting and other scary things. Is there some sort of best practice on how to do this? What tags can be dangerous?
UPDATE: Typo fixed, it's What You See Is What You Get. Nothing new :)
The best practice is to allow only certain things you know aren't dangerous, and remove/escape all the rest. See the paper Automated Malicious Code Detection and Removal on the Web (OWASP AntiSamy) for a discussion on this (the library is for Java, but the principles apply for any language).
这篇关于最佳实践:用户生成的HTML清理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!