doudu4282 2013-10-08 23:32
浏览 62
已采纳

[a-zA-Z] +会删除任何xss攻击的机会吗?

I believe only allowing characters in the range of a-z and A-Z would remove any possibility of an xss attack? I've read a lot about simply putting all output through htmlspecialchars() but it seems that there are some cases in which this is not enough to provide complete protection.

Also, if [a-zA-Z]+ is totally safe, is there any way to accept ' and - characters totally safely to avoid any possible chance of an xss attack? (Since these are the two main characters found in names aside from a-z)

  • 写回答

1条回答 默认 最新

  • douchi1945 2013-10-08 23:37
    关注

    There's 2 sides to this question.

    First off: yes of course, if there's no way to 'break out of context' you're eliminating all chances of both XSS and SQL injection exploits. It's impossible to insert either JS or SQL if you can only use alphabetic characters.

    Second: it's of course not a real protection, akin to never driving a car again as a failsafe method not to get in accidents. One day or another you are going to have input forms on your site which require other characters to be inserted, and you're going to be screwed. Just writing your code to be fundamentally safe, never trust client input, and properly escape all HTML generated by your code is in the end the only safe route.

    What you're trying to do is solve an output problem on the input end, which just doesn't work. If you have arbitrary user input, you'll eventually have people trying to abuse it to do nasty things. Learn how to escape it properly on the output end, use a template system like Twig for output that handles most XSS problems inherently, and use a DAL/ORM like Doctrine or a good parametrized database access API like MySQLi or PDO to avoid SQL injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 MATLAB卫星二体模型仿真
  • ¥15 怎么让数码管亮的同时让led执行流水灯代码
  • ¥20 SAP HANA SQL Script 。如何判断字段值包含某个字符串
  • ¥85 cmd批处理参数如果含有双引号,该如何传入?
  • ¥15 fx2n系列plc的自控成型机模拟
  • ¥15 时间序列LSTM模型归回预测代码问题
  • ¥50 使用CUDA如何高效的做并行化处理,是否可以多个分段同时进行匹配计算处理?目前数据传输速度有些慢,如何提高速度,使用gdrcopy是否可行?请给出具体意见。
  • ¥15 基于STM32,电机驱动模块为L298N,四路运放电磁传感器,三轮智能小车电磁组电磁循迹(两个电机,一个万向轮),如何通过环岛的原理及完整代码
  • ¥20 机器学习或深度学习问题?困扰了我一个世纪,晚来天欲雪,能饮一杯无?
  • ¥15 c语言数据结构高铁订票系统