0
我想淨化一個字符串來防止XSS atack,但是如果一個字符串沒有腳本標籤但是有html屬性,字符串不會被淨化。淨化Yii中的html字符串
例子:
$str = 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74';
$purifier = new CHtmlPurifier();
var_dump(
$str,
$purifier->purify($str)
);
結果:
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
我注意到purify使編碼特殊字符。有些木頭我沒有做? –
我不明白你的評論。 –