CodeIgniter输入过滤

CodeIgniter输入过滤

本文介绍了CodeIgniter输入过滤的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在一个图书列表网站,并遇到了codeigniter的xss过滤的问题。提交表单以创建商家信息时,包含Javascript:的任何标题都将替换为[REMOVED]。我试着从POST数组访问数据,像这样:

I am working on a book listing website and have run into a problem with codeigniter's xss filtering. When the form is submitted to create a listing, any title that includes "Javascript:" gets replaced with "[REMOVED]". I have tried accessing the data from the POST array like this:

$title = $_POST['title'];

以避免使用Input类,但仍然以某种方式被过滤。是否有任何方法,不涉及将global_xss_filtering关闭?

to avoid using the Input class but it is still somehow getting filtered. Is there any way around this that does not involve turning global_xss_filtering off?

推荐答案

不,对不起。你必须关闭它,因为它在CI的执行早期改变原始的post数据。

Nope, sorry. You have to turn it off because it alters the raw post data early in CI's execution.

我可以关于正确使用xss过滤器5页,但我请尝试保持简洁:

I could rant for 5 pages about the proper use of the xss filter, but I'll try and keep it concise:


  • 过滤输出,不输入

  • 始终保持上下文并适当转义(这是HTML?SQL?javascript?文本文件?)

  • 全局过滤器是一个安全毯。

  • Filter output, not input
  • Always keep the context in mind and escape appropriately (is this HTML? SQL? javascript? text file?)
  • The global filter is a security blanket. You can remove it once you know what you're doing.

这里只是众多悲剧性例子之一,为什么全局XSS过滤器是一个坏主意:

Here's just one of many tragic examples of why the global XSS filter is a bad idea:


  • 用户注册一个帐户,并将密码设置为 document.write123

  • 您处理密码,最后散列字符串 [removed] 123

  • 现在,用户可以使用以下任一密码登录,因为这些密码也将被过滤器转换为 [removed] 123 您将其哈希以验证:

  • A user signs up for an account, and sets his password to document.write123
  • You process the password, and end up hashing the string [removed]123
  • Now, the user can log in with any of the following passwords, because those will also get turned into [removed]123 by the filter before you hash them to validate:


  • < script> 123

  • document.write123

  • document.cookie123

  • etcetera ...

  • <script>123
  • document.write123
  • document.cookie123
  • etcetera...

不应发生。用户不应该能够使用多个密码登录(除非按照设计...我想是)。

That shouldn't happen. A user shouldn't be able to log in with multiple passwords (unless it's by design... I suppose).

此外,好运可以节省您的任何博客文章使用< iframe> s ...例如YouTube视频。

Also, good luck saving any of your blog posts that use <iframe>s... YouTube videos for example.

这篇关于CodeIgniter输入过滤的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-30 22:49