防止错误提示符xss上的img标记为GET

时间:2014-06-11 14:06:36

标签: javascript php html get xss

我想知道如何防止这种类型的xss,我已经尝试了大约4个小时但没有任何作用。

"><img+src%3Dx+onerror%3Dprompt('XSS')>

这是我用来阻止xss:

$term = mysql_real_escape_string($_GET['term']);
$term = strip_tags($term);

这是我打印结果的方式:

echo "<i>Search results for <b>" . strip_tags($term) . "</b> based on the <b>Name</b> of the servers</i><br /><br />";

这是我的完整php代码:

<?php
$term = strip_tags($_GET['term']);
$keywords = preg_split('#\s+#', $term);
$c = 0;
foreach($keywords as $keyword){
if(strlen($keyword) < 3){
    $c++;
}
}
if($c > 0){
$errors[] = "One of the keywords you entered is too short.";
}
if(strlen($term) < 4){
$errors[] = "Search string too short!";
}
if(empty($errors) !== true){
echo output_errors($errors);
} else {
echo "<i>Search results for <b>" . strip_tags($term) . "</b> based on the <b>Name</b> of the servers</i><br /><br />";

$name_where        = "`name` LIKE '%" . implode("%' OR `name` LIKE '%", $keywords) . "%'";
$query             = mysql_query("SELECT * FROM `servers` WHERE {$name_where} AND `disabled` = 0");

?>

2 个答案:

答案 0 :(得分:2)

$term = filter_var($term, FILTER_SANITIZE_STRING);

也许尝试这样的事情:

$term = filter_var($term, FILTER_SANITIZE_STRING);
$term = filter_var($term, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

有许多过滤器,你可以像过滤一样过滤它们。

filter_var()的优点是你可以控制行为,例如,剥离或编码低位和高位字符。

以下是过滤器列表:Filters

答案 1 :(得分:0)

您还可以filter_input获取外部变量并选择过滤它们。

<?php

    // FILTER_SANITIZE_SPECIAL_CHARS filter HTML-escapes special characters
    $term = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);

    // FILTER_SANITIZE_STRING strips or encodes unwanted characters
    $term = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_STRING);
相关问题
最新问题