duandi2853 2016-01-06 08:57
浏览 39
已采纳

如何清理javascript中使用的参数?

I have the following php code:

<?php $redirect_lp = $_GET['lp']; ?>
<script>
    setTimeout(function(){
        window.location.href = "<?php echo $redirect_lp; ?>";
    }, 10)
</script>

how do I sanitize $redirect_lp?

I know this code is bad because of this attack:

http://example.com/index.php?lp="-alert("XSS "%2bdocument.domain)-"

to protect from this particular attack, I santizie for ":

$redirect_lp = str_replace("\"", "", $redirect_lp);

is this enough?

  • 写回答

3条回答 默认 最新

  • dousou3027 2016-01-06 09:11
    关注

    First remove all illegal characters from the $redirect_lp variable, then check if it is a valid URL:

    <?php 
   $redirect_lp = $_GET['lp']; 

   // Remove all illegal characters from a url
   $redirect_lp = filter_var($redirect_lp, FILTER_SANITIZE_URL);
?>
<?php if (filter_var($redirect_lp, FILTER_VALIDATE_URL)): ?>
    <script>
       setTimeout(function(){
           window.location.href = "<?php echo $redirect_lp; ?>";
       }, 10)
    </script>
<?php endif; ?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?