douyi1855 2014-10-17 09:33
浏览 30
已采纳

html值属性中的htmlspecalchars是否足以阻止xss?

Is htmlspecialchars() a foolproof way of preventing any risk of an XSS attack on HTML element attributes?

For example, in this input element will the use of htmlspecialchars() also encoding quotes ensure total safety?

Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?

<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"
  • 写回答

1条回答 默认 最新

  • dongmeng1868 2014-10-17 10:17
    关注

    Assuming you're using a modern version of php, htmlspecialchars should do the trick.

    It's important to note that you also must provide the same encoding (utf8) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection.

    Also do note, that htmlspecialchars is fine only for attributes like value, that don't interpret javascript. It's not enough for src and friends.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 PADS Logic 原理图
  • ¥15 PADS Logic 图标
  • ¥15 电脑和power bi环境都是英文如何将日期层次结构转换成英文
  • ¥20 气象站点数据求取中~
  • ¥15 如何获取APP内弹出的网址链接
  • ¥15 wifi 图标不见了 不知道怎么办 上不了网 变成小地球了
  • ¥50 STM32单片机传感器读取错误
  • ¥15 (关键词-阻抗匹配,HFSS,RFID标签天线)
  • ¥15 机器人轨迹规划相关问题
  • ¥15 word样式右侧翻页键消失