dongshaidu2456 2015-01-03 03:18
浏览 85
已采纳

我应该XSS过滤所有输入数据吗?

I have a script that returns POST data if it exists, like this:

public function post($key){
    if(isset($_POST[$key])){
            return $_POST[$key];
        }else{
            return false;
    }
}

// Will return false if index doesn't exist
echo $this->class->post("key");

I was wondering if it is recommended to filter everything in that function (using a XSS library such as htmlpurifier) if the index exists? I have a function which does the exact same for get requests too.

Thanks,

Peter

  • 写回答

2条回答 默认 最新

  • 普通网友 2015-01-03 03:33
    关注

    It should work for making your application very secure, as no user input (besides the user editable $_FILE, $_SERVER) would be susceptible to XSS unless there was a glitch in your library. However, it may adversely affect your servers performance if many people are attempting to access your application. I would write a better function like this:

    public function post($key, $validate = true){
        if(isset($_POST[$key])){
                if($validate===true) {
                return validate($_POST[$key]);
                } else {
                return $_POST[$key]
            }else{
                return false;
        }
    }
    

    That way you can choose which post variables you want to validate. It reduces the overall security of your application, but if you use it correctly, you can minimize the impact.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥500 高有偿提问!求优化设计微信小程序
  • ¥15 matlab在安装时报错 无法找到入口 无法定位程序输入点
  • ¥15 收益高的广告联盟有哪些
  • ¥15 Android Studio webview 的使用问题, 播放器横屏全屏
  • ¥15 删掉jdk后重新下载,Java web所需要的eclipse无法使用
  • ¥15 uniapp正式环境中通过webapi将本地数据推送到设备出现的跨域问题
  • ¥15 xui建立节点,显示错误
  • ¥15 关于#单片机#的问题:开始、复位、十进制的功能可以实现,但是切换八进制的功能无法实现(按下按键也没有效果),把初始状态调成八进制,也是八进制可以实现但是切换到十进制不行(相关搜索:汇编语言|计数器)
  • ¥15 VINS-Mono或Fusion中feature_manager中estimated_depth是特征的深度还是逆深度?
  • ¥15 谷歌浏览器如何备份抖音网页数据