dongshaidu2456 2015-01-03 03:18
浏览 85
已采纳

我应该XSS过滤所有输入数据吗?

I have a script that returns POST data if it exists, like this:

public function post($key){
    if(isset($_POST[$key])){
            return $_POST[$key];
        }else{
            return false;
    }
}

// Will return false if index doesn't exist
echo $this->class->post("key");

I was wondering if it is recommended to filter everything in that function (using a XSS library such as htmlpurifier) if the index exists? I have a function which does the exact same for get requests too.

Thanks,

Peter

  • 写回答

2条回答 默认 最新

  • 普通网友 2015-01-03 03:33
    关注

    It should work for making your application very secure, as no user input (besides the user editable $_FILE, $_SERVER) would be susceptible to XSS unless there was a glitch in your library. However, it may adversely affect your servers performance if many people are attempting to access your application. I would write a better function like this:

    public function post($key, $validate = true){
    if(isset($_POST[$key])){
            if($validate===true) {
            return validate($_POST[$key]);
            } else {
            return $_POST[$key]
        }else{
            return false;
    }
}

    That way you can choose which post variables you want to validate. It reduces the overall security of your application, but if you use it correctly, you can minimize the impact.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址
  • ¥15 elmos524.33 eeprom的读写问题
  • ¥15 使用Java milo连接Kepserver服务端报错?
  • ¥15 用ADS设计一款的射频功率放大器
  • ¥15 怎么求交点连线的理论解?
  • ¥20 软件开发方法学习来了
  • ¥15 微信小程序商城如何实现多商户收款 平台分润抽成