0
我想净化一个字符串来防止XSS atack,但是如果一个字符串没有脚本标签但是有html属性,字符串不会被净化。净化Yii中的html字符串
例子:
$str = 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74';
$purifier = new CHtmlPurifier();
var_dump(
$str,
$purifier->purify($str)
);
结果:
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
我注意到purify使编码特殊字符。有些木头我没有做? –
我不明白你的评论。 –