ThinkPHP's method to prevent XSS attacks-ThinkPHP-php.cn

ThinkPHP's method to prevent XSS attacks

angryTom

Release： 2020-03-10 12:45:36

forward

6197 people have browsed it

This article introduces how to set up TP to prevent XSS attacks. I hope it will be helpful to friends who are learning ThinkPHP!

ThinkPHP's method to prevent XSS attacks

ThinkPHP's method to prevent XSS attacks

1 If your project does not have a rich text editor then you can use The global filtering method is to add htmlspecialchars to the config configuration file under the application

// 默认全局过滤方法 用逗号分隔多个
&#39;default_filter&#39; => &#39;htmlspecialchars&#39;,

Copy after login

ThinkPHPs method to prevent XSS attacks

If you have a rich text editor, it is not suitable to use this kind of anti-XSS attack

(Recommended tutorial: thinkphp tutorial)

Then use composer to install the plug-in to handle the

command

composer require ezyang/htmlpurifier

Copy after login

ThinkPHPs method to prevent XSS attacks

After the installation is successful, add the following code to common.php under the application where the public functions are placed

ThinkPHPs method to prevent XSS attacks

if (!function_exists(&#39;remove_xss&#39;)) {
    //使用htmlpurifier防范xss攻击
    function remove_xss($string){
    //composer安装的，不需要此步骤。相对index.php入口文件，引入HTMLPurifier.auto.php核心文件
    // require_once &#39;./plugins/htmlpurifier/HTMLPurifier.auto.php&#39;;
    // 生成配置对象
    $cfg = HTMLPurifier_Config::createDefault();
    // 以下就是配置：
    $cfg -> set(&#39;Core.Encoding&#39;, &#39;UTF-8&#39;);
    // 设置允许使用的HTML标签
    $cfg -> set(&#39;HTML.Allowed&#39;,&#39;div,b,strong,i,em,a[href|title],ul,ol,li,br,p[style],span[style],img[width|height|alt|src]&#39;);
    // 设置允许出现的CSS样式属性
    $cfg -> set(&#39;CSS.AllowedProperties&#39;, &#39;font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align&#39;);
    // 设置a标签上是否允许使用target="_blank"
    $cfg -> set(&#39;HTML.TargetBlank&#39;, TRUE);
    // 使用配置生成过滤用的对象
    $obj = new HTMLPurifier($cfg);
    // 过滤字符串
    return $obj -> purify($string);
}

Copy after login

Then add the config.php configuration file in the application directory

Change this filtering method to that method name

ThinkPHPs method to prevent XSS attacks

You can use this by combining the use of the framework and the use of plug-ins. The above code can be used directly

You can also perform xss verification on a certain field

1 Modify the command file and change it to this 'default_filter' => 'htmlspecialchars',

2 Then when you want Change the changed field to

ThinkPHPs method to prevent XSS attacks

Related recommendations:

PHP video tutorial, learning address: https:// www.php.cn/course/list/29/type/2.html

The above is the detailed content of ThinkPHP's method to prevent XSS attacks. For more information, please follow other related articles on the PHP Chinese website!