dongshaidu2456 2015-01-03 03:18
浏览 85
已采纳

我应该XSS过滤所有输入数据吗?

I have a script that returns POST data if it exists, like this:

public function post($key){
    if(isset($_POST[$key])){
            return $_POST[$key];
        }else{
            return false;
    }
}

// Will return false if index doesn't exist
echo $this->class->post("key");

I was wondering if it is recommended to filter everything in that function (using a XSS library such as htmlpurifier) if the index exists? I have a function which does the exact same for get requests too.

Thanks,

Peter

  • 写回答

2条回答 默认 最新

  • 普通网友 2015-01-03 03:33
    关注

    It should work for making your application very secure, as no user input (besides the user editable $_FILE, $_SERVER) would be susceptible to XSS unless there was a glitch in your library. However, it may adversely affect your servers performance if many people are attempting to access your application. I would write a better function like this:

    public function post($key, $validate = true){
    if(isset($_POST[$key])){
            if($validate===true) {
            return validate($_POST[$key]);
            } else {
            return $_POST[$key]
        }else{
            return false;
    }
}

    That way you can choose which post variables you want to validate. It reduces the overall security of your application, but if you use it correctly, you can minimize the impact.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 交替优化波束形成和ris反射角使保密速率最大化
  • ¥15 树莓派与pix飞控通信
  • ¥15 自动转发微信群信息到另外一个微信群
  • ¥15 outlook无法配置成功
  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程