dongshi3818 2014-10-30 14:34
浏览 60
已采纳

在自定义Twig函数中避免使用XSS?

What is the riht way to escape XSS in custom Twig function?

Consider this :

class TwigExtension extends \Twig_Extension
{
    public function getName()
    {
        return 'html_helpers';
    }

    public function getFunctions()
    {
        $options = array(
            'is_safe' => array('html')
        );
        return array(
            new \Twig_SimpleFunction('greating', array($this, 'greating'),$options)
        );
    }

    public function greating($name)
    {
        return "Salut ".$name;
    }  
}

And the call in the template : {{ greating("<script>alert('Sébastien')</script>") }}

It will display the JS alert. How can I avoid this?

  • 写回答

1条回答 默认 最新

  • dongming6201 2014-10-31 00:40
    关注

    You could prevent scripts like that from getting put in by wrapping the name in htmlspecialchars just like the twig escape filter uses internally:

    public function greating($name)
{
    return "Salut ".htmlspecialchars($name);
}

    http://twig.sensiolabs.org/doc/filters/escape.html

    Internally, escape uses the PHP native htmlspecialchars function for the HTML escaping strategy.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?