问题:
什么是最好的safe1(),safe2(),safe3()和safe4()函数来避免UTS8编码页面的XSS?它在所有浏览器(特别是IE6)中也是安全的吗?
<body><?php echo safe1($xss)?></body>
<body id="<?php echo safe2($xss)?>"></body>
<script type="text/javascript">
var a = "<?php echo safe3($xss)?>";
</script>
<style type="text/css">
.myclass {width:<?php echo safe4($xss)?>}
</style>
.
很多人说可以做的绝对最好的是:
// safe1 & safe2
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
// But how would you compare the above to:
// https://github.com/shadowhand/purifier
// OR http://kohanaframework.org/3.0/guide/api/Security#xss_clean
// OR is there an even better if not perfect solution?
.
// safe3
$s = mb_convert_encoding($s, "UTF-8", "UTF-8");
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
// How would you compare this …这对XSS 100%安全吗?如果没有,你能否提供示例错误的字符串文本,告诉我为什么不是.
<html>
<body>
<script>
<?php
$bad = "some bad string. please give example text that makes the below unsafe";
echo "var a = ".json_encode($bad).";";
echo "var b = ".json_encode(array($bad)).";";
?>
</script>
</body>
</html>
Thanks.