Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
423 views
in Technique[技术] by (71.8m points)

php - Prevent XSS with strip_tags()?

I have a PHP web applications. I do NOT want to allow users to post HTML to my site.

If I simply run strip_tags() on all data prior to saving into my database, will strip_tags() be enough to prevent XSS?

I ask because it's unclear to me from reading the documentation of strip_tags if XSS is prevented. There seems to be some bug with browser allowing <0/script> (yes, a zero) as valid HTML.

UPDATE

I realize that I can simply run htmlspecialchars on all outputted data; however, my thought is that - since I don't want to allow HTML in the first place, it's simply easier (and academically better) to clean my data once and for all, before saving in my database, then have to worry every time I output the data if the data is safe or not.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I strongly disagree it's "academically better".

  • It breaks user input (imagine how useless StackOverflow would be for this discussion if they "cleaned" posts from all tags).

  • Text inserted in HTML with only tags stripped will be invalid. HTML requires & to be escaped as well.

  • It's not even safe in HTML! strip_tags() is not enough to protect values in attributes, e.g., <input value="$foo"> might be exploited with $foo = " onfocus="evil() (no <,> needed!)

So the correct solution is to escape data according to requirements of language you're generating. When you have plain text and you're generating HTML, you should convert text to HTML with htmlspecialchars() or such. When you're generating e-mail, you should convert text to quoted-printable format, and so on.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...