我正在尝试净化字符串以防止XSS攻击,但如果字符串没有脚本标记但有html attributs,则该字符串不会被净化。
示例:
$str = 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74';
$purifier = new CHtmlPurifier();
var_dump(
$str,
$purifier->purify($str)
);
结果:
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
答案 0 :(得分:1)
是的,因为该字符串是有效的无XSS HTML。如果您计划在属性中使用它来净化它,您可以使用HTML Purifier的内部(.|\n)*?([!?.]\s+|[\n]{2,}|$)类来手动净化它。对于网址,您可能需要AttrDef:
HTMLPurifier_AttrDef_URI