Home > PHP Framework > ThinkPHP > thinkphp filter xss

thinkphp filter xss

步履不停
Release: 2019-08-16 18:11:23
Original
5029 people have browsed it

thinkphp filter xss

What is XSS: In layman’s terms, just like SQL injection, XSS attack can also be regarded as an injection of HTML and JS. You originally hoped to get a useful piece of text from the user, but what the user submitted to you was an executable javascript or other script with ulterior motives (destroying styles or document text is not considered an attack here). When you then When these submitted content are displayed on the page, the XSS attack occurs.

There are endless attack methods and scenarios about XSS. This article is just to popularize some basic security protection knowledge (it does not involve flash script attacks). If you want to thoroughly study this attack method, I recommend a book. <>, if you don’t have time to read, just read this article.

This article requires basic knowledge: cookie, session working principle, and a certain understanding of the TP framework.

1: Resist 99% of attack methods, applicable to 90% of scenarios.

When the website does not involve complex user interactions, all submitted by users can be The text is processed by the htmlspecialchars function.

The steps in the THINKPHP3.2 version are:

1: Add configuration in the project configuration file: 'DEFAULT_FILTER' => ; 'htmlspecialchars', //Default filter function

2: Use the I method of the frame to obtain data submitted by the user;

Example: M('Member' )->save(array('content'=>I('post.content')));The content added in this way has been processed by htmlspecialchars.

Question: Why is it processed by htmlspecialchars Text can be guaranteed to be safe?

Answer: Looking at various XSS attack methods, most of them rely on one or more of the characters <>'"& to inject content. The function of the htmlspecialchars function is to convert these characters into Harmless HTML entity;

Question: Why is there such a good method, but so many websites are still being attacked.

Answer: Because many programmers always forget to use this method carelessly. And omit the filtering of a certain piece of data.

2: Bind the IP to the COOKIE

The cookie generally contains automatic login information and session_id, even if the content in the cookie is All are encrypted. Once the cookie information is obtained by others through XSS attacks, it is equivalent to giving your account password to others.

Bind the IP of the cookie, (of course you can also obtain the user customer More other information on the end can be bound at the same time) You can judge whether this cookie comes from the original authorized user based on the user's IP.

Typical application example:

  1. When the user sets up automatic login, the automatic login information is saved:


  2. $auto=I(&#39;post.auto&#39;);//用户设置了自动登录
    if(!empty($auto)){
    cookie(&#39;auto&#39;,encrypt(serialize($data)));//将登录信息保存到cookie,其中$data里含有加密后的帐号,密码,和用户的IP,这里的cookie已在全局中设置过期日期为一周
    }
    Copy after login
  3. When the user closes the browser and visits the website again, the automatic login information will be saved. Login


  4. if (!is_login()) {//是否未登录状态?
    $auth=cookie(&#39;auto&#39;);
    if(!empty($auth)){//是否未有自动登录cookie?
    $data=unserialize(decrypt($auth));
    if(!empty($data) && !empty($data[&#39;username&#39;]) && !empty($data[&#39;password&#39;]) && !empty($data[&#39;last_login_ip&#39;])){
    $user=M(&#39;Member&#39;)->where(array(&#39;username&#39;=>$data[&#39;username&#39;],&#39;password&#39;=>$data[&#39;password&#39;]))->find();
    if(!empty($user[&#39;id&#39;])&&($user[&#39;last_login_ip&#39;]==get_client_ip())){//cookie帐号密码是否有效?//IP来源是否相同?
    login_session($user[&#39;id&#39;], $user[&#39;username&#39;], $data[&#39;last_login_ip&#39;]);//用户自动登录成功
    }
    }
    }
    }
    Copy after login

Advantages: In most scenarios, cookies stolen by XSS attacks can be invalidated. Disadvantages : Since the IP may be shared by multiple computers, the binding cannot be very precise.

3: Add httponly configuration for COOKIE

  1. The latest version of thinkphp already supports this parameter.

  2. This parameter can ensure that the cookie is only transmitted in the http request and is not obtained by the script in the page. It is now available on the market Most browsers already support it.

4: New features of HTML5 worth noting:

  1. ##