doutuo6689 2016-05-30 18:43
浏览 39

将未受保护的表单放入受密码保护的页面是否安全?

I'm in the process of building a small blog system to implement into our clients websites. I have built a simple wysiwyg text editor and everything works fine (almost...), but I store blog posts into a database. The problem is, I don't want malicious script to get into there. Also, if I escape the string, the HTML tags won't be able to format the text at the output (unless I'm unaware of something).

However, only people with accounts will be able to create a blog posts on their website (small business owners). So, if a password is needed to access the text editor, do I need to protect it as much? Do I need HTML Purifier or something? Am I simply on the wrong path of doing it?

  • 写回答

1条回答 默认 最新

  • douzi2333 2016-05-30 18:54
    关注

    Answer is: YES

    By not doing that you're actually incentivizing the hacking of your users accounts and putting them at risk. If a hacker gets access to one of those accounts then he can exploit that to compromise all users, which is bad news for you in so many different ways..

    Safety shouldn't be an optional feature.

    EDIT: answer should actually say "NO" as the question at the top is different from the question in the description.. so, NO, NOT safe to put an unprotected form inside a password protected page.

    评论

报告相同问题?

悬赏问题

  • ¥15 linux驱动,linux应用,多线程
  • ¥20 我要一个分身加定位两个功能的安卓app
  • ¥15 基于FOC驱动器,如何实现卡丁车下坡无阻力的遛坡的效果
  • ¥15 IAR程序莫名变量多重定义
  • ¥15 (标签-UDP|关键词-client)
  • ¥15 关于库卡officelite无法与虚拟机通讯的问题
  • ¥15 目标检测项目无法读取视频
  • ¥15 GEO datasets中基因芯片数据仅仅提供了normalized signal如何进行差异分析
  • ¥100 求采集电商背景音乐的方法
  • ¥15 数学建模竞赛求指导帮助