douyi1855 2014-10-17 09:33
浏览 30
已采纳

html值属性中的htmlspecalchars是否足以阻止xss?

Is htmlspecialchars() a foolproof way of preventing any risk of an XSS attack on HTML element attributes?

For example, in this input element will the use of htmlspecialchars() also encoding quotes ensure total safety?

Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?

<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"
  • 写回答

1条回答 默认 最新

  • dongmeng1868 2014-10-17 10:17
    关注

    Assuming you're using a modern version of php, htmlspecialchars should do the trick.

    It's important to note that you also must provide the same encoding (utf8) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection.

    Also do note, that htmlspecialchars is fine only for attributes like value, that don't interpret javascript. It's not enough for src and friends.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮