douxie9347 2012-09-30 05:57
浏览 18
已采纳

如何以zend形式阻止脚本标记

Hi there I am just testing my own developed application and got a problem. I entered 

<script>window.location = "http://www.google.com";</script>

in Zend_Form_Element_Text element. I pressed submit and the value is saved. After saving value I redirect the user to listing and when it redirects to listing, script tag executes and it goes to google.com.

My form element looks like 

 $first_name = new Zend_Form_Element_Text('first_name');
 $first_name->setRequired(true)
            ->addFilter('StringTrim')
            ->addValidator('StringLength', false, array(2, $metaData['first_name']['LENGTH']))
            ->setDecorators(array('ViewHelper', 'errors'));

I want to know how can I prevent the user to enter such kind of values? Is there any built in validation or any other way?

  • 写回答

2条回答 默认 最新

  • du5591 2012-09-30 08:02
    关注

    Well done for testing your app, many people don't bother. Don't worry about storing that string in your database it won't do any harm and changing it may give you problems with other, valid, entries. As vstm says, escape it when you use it.

    However, as you are specifically talking about a 'First Name' field there is probably some more validation that you can do, such as rejecting any names with a / in them. I'm not aware of any language that has that as part of a name. If there is, I'd love to know how it's pronounced. You could probably add . = \ and some others to that list too, but don't get too carried away.

    You should carefully consider every field in your form with regards to what input you would reasonably expect to receive and validate the input accordingly. Anything that doesn't pass validation is rejected. A string like '<script>window.location = "http://www.google.com";</script>' should certainly never pass validation for a field expecting a person's name.

    Personally, I never filter input. It either passes validation and is accepted, or it doesn't and is rejected. I can't make good input out of bad input by filtering it, so it gets rejected and the user is asked to re-enter their data. For example, using a StripTags filter on 

    <script>window.location = "http://www.google.com";</script>

    will leave you with

    window.location = "http://www.google.com";

    which is still not a valid name and should be rejected.

    Your validation will never work 100% of the time and that is why you should always escape values received from user input before echoing them out to the browser.

    Zend Framework has a raft of validators that you could use and don't forget the validators and filters that PHP has already available for you. Use them properly and you will greatly reduce the risk of malicious input hurting either your application or, more importantly, your users.

    Those validators and filters are there for you to use, but neither PHP nor Zend Framework know what kind of data you are expecting, so it is very important that you read the documentation and learn exactly how they work, how to use them and when to use them.

    There is an excellent resource at The Web Application Security Project that every web dev should be forced to read on pain of death.

    tl;dr
    Validate input and escape output.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 stm32代码移植没反应
  • ¥15 matlab基于pde算法图像修复,为什么只能对示例图像有效
  • ¥100 连续两帧图像高速减法
  • ¥15 组策略中的计算机配置策略无法下发
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊