dongya767979565 2013-03-24 10:34
浏览 92

如果我不允许CKEditor中的Source按钮,我的应用程序是否安全

I am using the CKEditor to let the users post their comments. I am not using the bbcode in my forum. If I hide the source button of CKEditor and do the following steps

  1. use htmlspecialchars() function to handle the html elements
  2. user parse_url to ensure that the data has been submitted from my own domain

Am I securely handling the user submitted data? Do I still need to use bbcode? What more steps should I take to make my application more secure.

  • 写回答

1条回答 默认 最新

  • duangan6636 2013-03-24 11:32
    关注

    You won't secure your code by hidding that button. In fact, nothing you do on the client side will help.

    I strongly suggest you to check what your users post before adding it to your DB. Last time I had to deal with such thing, I used a combination of PHPIDS and HTML Purifier but that was long ago and I don't know if they're the best tools for that nowadays.

    评论

报告相同问题?

悬赏问题

  • ¥20 iqoo11 如何下载安装工程模式
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?