douzhongqiu5032 2017-06-15 03:38
浏览 169
已采纳

我是否需要在html标记属性中使用htmlentities()来防止XSS攻击

So suppose I have this piece of code:

<div class="name" id="<?php echo $userId; ?>">      
    <p>User Name: <?php echo $username; ?></p>
    <p>Last Activity: <?php echo getTime($datetime); ?></p>
    <p>Date: <?php echo $date; ?></p>
</div>

In this, do I have to write htmlentities inside the div id attribute too?

For example, like this:

<div class="name" id="<?php echo htmlentities($userId); ?>" >...</div>

Also, do I need to do this:

<p>Last Activity: <?php echo htmlentities(getTime($datetime)); ?></p>

Thanks for the help!

P.S.:datetime is a function that I have created

  • 写回答

1条回答 默认 最新

  • dongyukang7006 2017-06-15 03:52
    关注

    It depends on if the user can manipulate those variables or not. If they can prior to them being echoed out, then you should sanitize those variables (using htmlentities() and others as well). If those variables are hard coded in so users cannot manipulate them, then you are fine.

    Basically, can the user alter the variable $userID in any way prior to echo $userID being called? Then, yes, you should include htmlentites and probably some other things as well for security purposes.

    Here is a link that may help. Be sure to read the comments for the answers as well.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 类鸟群Boids——仿真鸟群避障的相关问题
  • ¥15 CFEDEM自带算例错误,如何解决?
  • ¥15 有没有会使用flac3d软件的家人
  • ¥20 360摄像头无法解绑使用,请教解绑当前账号绑定问题,
  • ¥15 docker实践项目
  • ¥15 数电几道习题,写出作答过程,ai一律不采用
  • ¥15 利用pthon计算薄膜结构的光导纳
  • ¥15 海康hlss视频流怎么播放
  • ¥15 Paddleocr:out of memory error on GPU
  • ¥30 51单片机C语言数码管驱动单片机为AT89C52