dsfvsdfv23599 2016-10-01 13:33
浏览 39
已采纳

如何从输入安全地存储代码

I am currently building an administration panel. There is a page where a file containing HTML is loaded into a html editor (TinyMCE) and is saved to the same file that was loaded (to save the changes).

The file is simply a page that has dynamic links that are to be interchanged from an administration panel. If all of these pages were the same, then I would simply save core values to a database and then load specific sections, however that is not the case as there are many variations of the templates, it's rare that any two are the same.

Therefore, I wanted an application that clients could use to edit these pages themselves. How would I go about saving these files in a secure way that strips any malicious behavior?

Thank you.

  • 写回答

1条回答 默认 最新

  • dongyupen6269 2016-10-01 14:01
    关注

    Sanitising html when storing it in the db is generally a bad idea, if you get it wrong and you corrupt the data there is no going back, you'd have to get your users to re-input the content once you'd fixed any mistakes. You might think you've covered all bases but there will always be that user that says "When I do this...."

    Instead just store the data in the database as it comes in (obviously filtering for sql injection) You don't want Mr O'reilly breaking your db.

    You need to filter the content on the way out of the db, how you do this depends on your circumstances.

    If you are just expecting your users to store text, then using htmlspecialchars is sufficient this will change < to &lt; and so on

    However if you want your users to be able to use tags then strip tags would be more appropriate

    eg

    $allowable_tags = array(
      '<p>',
      '<h1>',
      '<h2>',
      '<h3>',
      '<strong>',
      '<em>',
    );
    
    
    $content =  $db->get($page_id);
    
    echo strip_tags($content,implode('',$allowable_tags));
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 python天天向上类似问题,但没有清零
  • ¥30 3天&7天&&15天&销量如何统计同一行
  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 C#调用python代码(python带有库)
  • ¥15 矩阵加法的规则是两个矩阵中对应位置的数的绝对值进行加和
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)