dowjgrm6787 2012-10-07 20:22
浏览 51
已采纳

在处理XSS攻击防范时,什么构成“用户输入”? [关闭]

I am looking to secure my code against XSS attacks, yet all of the examples I have been reading deal with direct user input validation (such as in a contact form or a login).

I'm a bit confused as to if I need to protect my code if there was no way to input directly (ie, my website was only reading from a database and not writing to it)? I'm still thinking I need to because I class my database as an external source, and data within the variables echoed are still coming from elsewhere.

Am I right in thinking that any data read still constitutes user input and should be treated accordingly? Also, if I then added a contact form, would I need to then validate/sanitise/escape every piece of information pulled from my database in every page, or only deal with it at the form itself?

  • 写回答

2条回答 默认 最新

  • duanhe2027 2012-10-07 20:53
    关注

    Forget the term "user input" and think in terms of "unknown strings". Anything that you do not know for a fact what it contains is potentially dangerous or disruptive in the right context.

    It's also important to remember there is no single solution for all cases. For example these all may require different types of sanitizing or escaping:

    • HTML attributes: <a href="$unknown">
    • HTML text content: <p>$unknown</p>
    • javascript: <script>var B = $unknown;</script>
    • SQL: SELECT * from $unknown
    • CSS: .myClass { color:$unknown; }

    In general you should (if possible) avoid using unknown data in HTML attributes, CSS, or Javascript - because those are places where it can get complicated. For most cases, simply escaping the HTML characters is all you need to do.

    The key word here is context, which is one reason why you never want to "sanitize" input, but output. The same data could be used in different contexts and require different measures of escaping or filtering.

    I highly suggest using OWASP as a resource to learn about XSS and security in general: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 统计大规模图中的完全子图问题
  • ¥15 使用LM2596制作降压电路,一个能运行,一个不能
  • ¥60 要数控稳压电源测试数据
  • ¥15 能帮我写下这个编程吗
  • ¥15 ikuai客户端l2tp协议链接报终止15信号和无法将p.p.p6转换为我的l2tp线路
  • ¥15 经gamit解算的cors站数据再经globk网平差得到的坐标做形变分析
  • ¥15 phython读取excel表格报错 ^7个 SyntaxError: invalid syntax 语句报错
  • ¥20 @microsoft/fetch-event-source 流式响应问题
  • ¥15 ogg dd trandata 报错
  • ¥15 高缺失率数据如何选择填充方式