dsewbh5588 2016-04-30 03:07
浏览 92
已采纳

你可以通过保存由tinyMCE,QuillJS等文本人生成的HTML代码来攻击吗?

i hope somebody can provide advice or tips before this gets closed because I was warned that this is a subjective question.

I have my own PHP+SQL framework made out of Slim and Eloquent and planning to integrate a forum in it, and to make it more user-friendly, I am planning to add free text editors on forum posting.

Apparently, these texteditors send the HTML codes via POST, and with these I plan to save them on a MySQL database. And since its eloquent, I quite understand it already handles the prepared statement to avoid injection. But I am not sure enough if that is safe enough, I was browsing phpBB and they don't have any pretty text editor until today (or is yet to be develop for 3.2) and I browsed that they are concerned about security, and I got nervous more since they are veteran there.

Can you get injected via these simple HTML codes? What other attacks can be use against my system?

Thanks!

  • 写回答

1条回答 默认 最新

  • dongquanjie9328 2016-04-30 03:48
    关注

    As long as you escape everything before inserting into SQL queries, the database will be safe... from the simplest form of SQL injection.

    To protect against JavaScript injection you'll have to cleanup the markup on server side before inserting into the database by removing <script> tags. You might also want to remove iframe, link and form tags.

    You'll also have to configure content filtering on client side. For example, TinyMCE has invalid_elements option, where you can list the tags to remove.

    The more features a system supports, the more the risk, obviously. For example, the hacker may upload a file with a name containing a shell expression such as $(rm -rf /www/).png. So the server will be hacked, if somebody on the server accidentally runs an eval on such kind of filename. Another example is uploading a script looking like and image.

    I guess, there is no point in listing more possible ways to hack the system. The answer to your question is: yes, the system can be hacked by using the popular Web editors. So I'd recommend to minimize the number of features exposed to the user, and to thoroughly sanitize the user input, especially on server side.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条
  • ¥15 LiBeAs的带隙等于0.997eV,计算阴离子的N和P
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘
  • ¥15 来真人,不要ai!matlab有关常微分方程的问题求解决,
  • ¥15 perl MISA分析p3_in脚本出错
  • ¥15 k8s部署jupyterlab,jupyterlab保存不了文件
  • ¥15 ubuntu虚拟机打包apk错误
  • ¥199 rust编程架构设计的方案 有偿
  • ¥15 回答4f系统的像差计算