douyi1855 2014-10-17 09:33
浏览 30
已采纳

html值属性中的htmlspecalchars是否足以阻止xss?

Is htmlspecialchars() a foolproof way of preventing any risk of an XSS attack on HTML element attributes?

For example, in this input element will the use of htmlspecialchars() also encoding quotes ensure total safety?

Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?

<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"
  • 写回答

1条回答 默认 最新

  • dongmeng1868 2014-10-17 10:17
    关注

    Assuming you're using a modern version of php, htmlspecialchars should do the trick.

    It's important to note that you also must provide the same encoding (utf8) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection.

    Also do note, that htmlspecialchars is fine only for attributes like value, that don't interpret javascript. It's not enough for src and friends.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 phython如何实现以下功能?查找同一用户名的消费金额合并—
  • ¥15 孟德尔随机化怎样画共定位分析图
  • ¥18 模拟电路问题解答有偿速度
  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址