dsadsa123111 2016-05-30 12:13
浏览 40

确保给定的字符串包含iframe或object标记

We are adding embeddable content that users can add. This opens up for a lot of exploits, and i want to start minimizing the potential damage.

First off I need to make sure the embeddable string starts with either <iframe> or <object> and ends with </iframe> or </object>

Found this: https://stackoverflow.com/questions/28118798/how-can-i-check-a-string-is-iframe-tag-by-php-functions

but I need to rewrite it, and I'm at a loss.

$string = '<iframe src="sourceurl"></iframe>';
$test = strpos($string,'<iframe');
if (!empty($test)) {
    echo 'That has an iframe!!';
} else {
    echo 'There's no iframe in there...';
}

How do I attack this? And on a sidenote, should I just scrap object embeds? They feel highly vulnerable..

  • 写回答

1条回答 默认 最新

  • doumowu7371 2016-05-30 12:25
    关注

    This is happening because <iframe is at the beginning of your $string meaning that strpos will return 0 cause the <ifrma start from the position 0 and because empty(0) will return true (meaning it is empty) which is not true in our cause because 0 in our case means something.

    to solve this problem just replace !empty($test) with $test >= 0 something like this : 

    $string = '<iframe src="sourceurl"></iframe>';
$test = strpos($string,'<iframe');

//in this case $test = 0 cause it is at the start of the string

if ($test >= 0) {
  echo 'That has an iframe!!';
} else {
  echo 'There\'s no iframe in there...';
}

// you can even use Regular Expressions 
// to ensure that your string starts with <iframe , here is an example : 

// ^ : means start with.
if(preg_match('/^<iframe /',$string)){
    echo 'That has an iframe using Regular Expressions!!';      
}

    Hope it helps.

    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度