dowjgrm6787 2012-10-07 20:22
浏览 51
已采纳

在处理XSS攻击防范时,什么构成“用户输入”? [关闭]

I am looking to secure my code against XSS attacks, yet all of the examples I have been reading deal with direct user input validation (such as in a contact form or a login).

I'm a bit confused as to if I need to protect my code if there was no way to input directly (ie, my website was only reading from a database and not writing to it)? I'm still thinking I need to because I class my database as an external source, and data within the variables echoed are still coming from elsewhere.

Am I right in thinking that any data read still constitutes user input and should be treated accordingly? Also, if I then added a contact form, would I need to then validate/sanitise/escape every piece of information pulled from my database in every page, or only deal with it at the form itself?

  • 写回答

2条回答 默认 最新

  • duanhe2027 2012-10-07 20:53
    关注

    Forget the term "user input" and think in terms of "unknown strings". Anything that you do not know for a fact what it contains is potentially dangerous or disruptive in the right context.

    It's also important to remember there is no single solution for all cases. For example these all may require different types of sanitizing or escaping:

    • HTML attributes: <a href="$unknown">
    • HTML text content: <p>$unknown</p>
    • javascript: <script>var B = $unknown;</script>
    • SQL: SELECT * from $unknown
    • CSS: .myClass { color:$unknown; }

    In general you should (if possible) avoid using unknown data in HTML attributes, CSS, or Javascript - because those are places where it can get complicated. For most cases, simply escaping the HTML characters is all you need to do.

    The key word here is context, which is one reason why you never want to "sanitize" input, but output. The same data could be used in different contexts and require different measures of escaping or filtering.

    I highly suggest using OWASP as a resource to learn about XSS and security in general: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 利用pthon计算薄膜结构的光导纳
  • ¥15 海康hlss视频流怎么播放
  • ¥15 Paddleocr:out of memory error on GPU
  • ¥30 51单片机C语言数码管驱动单片机为AT89C52
  • ¥100 只改动本课件的 cal_portfolio_weight_series(decision_date), 跑完本课件。设计一个信息比率尽量高的策略。
  • ¥20 如何在visual studio 2022中添加ImageMagick库
  • ¥50 如何实现uniapp编译的微信小程序做可回溯视频
  • ¥15 求Houdini使用行家,付费。价格面议。
  • ¥15 前端高拍仪调用问题报错
  • ¥15 想用octave解决这个数学问题