duandi2853 2016-01-06 08:57
浏览 38
已采纳

如何清理javascript中使用的参数?

I have the following php code:

<?php $redirect_lp = $_GET['lp']; ?>
<script>
    setTimeout(function(){
        window.location.href = "<?php echo $redirect_lp; ?>";
    }, 10)
</script>

how do I sanitize $redirect_lp?

I know this code is bad because of this attack:

http://example.com/index.php?lp="-alert("XSS "%2bdocument.domain)-"

to protect from this particular attack, I santizie for ":

$redirect_lp = str_replace("\"", "", $redirect_lp);

is this enough?

  • 写回答

3条回答 默认 最新

  • dousou3027 2016-01-06 09:11
    关注

    First remove all illegal characters from the $redirect_lp variable, then check if it is a valid URL:

    <?php 
   $redirect_lp = $_GET['lp']; 

   // Remove all illegal characters from a url
   $redirect_lp = filter_var($redirect_lp, FILTER_SANITIZE_URL);
?>
<?php if (filter_var($redirect_lp, FILTER_VALIDATE_URL)): ?>
    <script>
       setTimeout(function(){
           window.location.href = "<?php echo $redirect_lp; ?>";
       }, 10)
    </script>
<?php endif; ?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行
  • ¥20 测距传感器数据手册i2c