cakephp3- xss过滤怎么办?

时间:2017-06-29 06:06:58

标签: cakephp cakephp-3.0 xss cakephp-3.x server-side-validation

我正在使用的Cakephp版本是 3.4.x

我的cakephp 3应用程序中有十几种表单。我想为所有表单实现xss过滤。如果不对所有表单函数进行更改,最简单的方法是什么。

我在一个答案中读到,为了清理视图,我们应该使用CakePHP便利函数h($ string),这将使所有对XSS的尝试完全无害。

我尝试了这个但是id没有用完。

enter image description here

\ SRC \模板\用户\ view.ctp 

<p><span>Address</span>: <?= h($user->address) ?></p>

在将数据保存到数据库之前,有没有办法实现xss过滤?

我的控制器功能(为我烘焙的cakephp)用于添加新用户及其信息

\ SRC \控制器\ UsersController.php 

public function add(){
    $this->viewBuilder()->setLayout('admin')  ;
    $user = $this->Users->newEntity();
    if ($this->request->is('post')) {
        $user = $this->Users->patchEntity($user, $this->request->getData());
        if ($this->Users->save($user)) {
            $this->Flash->success(__('The user has been saved.'));

            return $this->redirect(['action' => 'index']);
        }
        $this->Flash->error(__('The user could not be saved. Please, try again.'));
    }
    $groups = $this->Users->Groups->find('list', ['limit' => 200]);
    $this->set(compact('user', 'groups'));
    $this->set('_serialize', ['user']);
}

\ SRC \模型\表\ UsersTable.php 

public function beforeSave(Event $event)
{
    $entity = $event->getData('entity');

    if ($entity->isNew()) {
        $hasher = new DefaultPasswordHasher();

        // Generate an API 'token'
        $entity->api_key_plain = sha1(Text::uuid());

        // Bcrypt the token so BasicAuthenticate can check
        // it during login.
        $entity->api_key = $hasher->hash($entity->api_key_plain);
    }
    return true;
}

谢谢!

2 个答案:

答案 0 :(得分:0)

您可以在User Entity类中使用mutator方法:

class User extends Entity
{    
    protected function _setAddress($value) {
        return strip_tags($value);
    }
}

使用此mutator,您可以在每次更新或创建实体时保存到数据库之前修改输入数据。有关mutator的更多信息:https://book.cakephp.org/3.0/en/orm/entities.html#accessors-mutators

您也可以使用其他方式,但我在此前写过。如果您想使用,您应该测试此代码。使用$entity->getDirty()方法,我们可以获取所有已修改的字段,并在Table::beforeSave()方法中更改其值:

public function beforeSave($event)
{
    $entity = $event->getData('entity');

    $modified = $entity->getDirty();
    foreach((array) $modified as $v) {
        if(isset($entity->{$v})) {
            $entity->{$v} = strip_tags($entity->{$v});
        }
    }

    return true;
}

答案 1 :(得分:0)

您需要从C:\Users\alen.kolman\Desktop\math3d-3.3.4>pip install math3d Collecting math3d Using cached https://files.pythonhosted.org/packages/9a/33/72ac95bb4ac11a2b13e033d90f84430dc23fc815124d9303dffca8789a75/math3d-3.3.4.tar.gz Installing collected packages: math3d Running setup.py install for math3d ... error Complete output from command c:\python34\python.exe -u -c "import setuptools, tokenize;__file__='C:\\Users\\ALEN~1.KOL\\AppData\\Local\\Temp\\pip-install-jihuupoe\\math3d\\setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record C:\Users\ALEN~1.KOL\AppData\Local\Temp\pip-record-3r05scnh\install-record.txt --single-version-externally-managed --compile: running install running build running build_py creating build creating build\lib creating build\lib\math3d copying math3d\orientation.py -> build\lib\math3d copying math3d\orientation_computer.py -> build\lib\math3d copying math3d\quaternion.py -> build\lib\math3d copying math3d\transform.py -> build\lib\math3d copying math3d\utils.py -> build\lib\math3d copying math3d\vector.py -> build\lib\math3d copying math3d\__init__.py -> build\lib\math3d creating build\lib\math3d\interpolation copying math3d\interpolation\r3interpolation.py -> build\lib\math3d\interpolation copying math3d\interpolation\se3interpolation.py -> build\lib\math3d\interpolation copying math3d\interpolation\so3interpolation.py -> build\lib\math3d\interpolation copying math3d\interpolation\__init__.py -> build\lib\math3d\interpolation creating build\lib\math3d\reference_system copying math3d\reference_system\frame.py -> build\lib\math3d\reference_system copying math3d\reference_system\free_vector.py -> build\lib\math3d\reference_system copying math3d\reference_system\point.py -> build\lib\math3d\reference_system copying math3d\reference_system\reference_system.py -> build\lib\math3d\reference_system copying math3d\reference_system\__init__.py -> build\lib\math3d\reference_system creating build\lib\math3d\dynamics copying math3d\dynamics\twist.py -> build\lib\math3d\dynamics copying math3d\dynamics\wrench.py -> build\lib\math3d\dynamics copying math3d\dynamics\__init__.py -> build\lib\math3d\dynamics creating build\lib\math3d\geometry copying math3d\geometry\line.py -> build\lib\math3d\geometry copying math3d\geometry\plane.py -> build\lib\math3d\geometry copying math3d\geometry\__init__.py -> build\lib\math3d\geometry running install_lib running install_data Traceback (most recent call last): File "<string>", line 1, in <module> File "C:\Users\ALEN~1.KOL\AppData\Local\Temp\pip-install-jihuupoe\math3d\setup.py", line 23, in <module> data_files=[('share/doc/pymath3d/', ['README.md', 'COPYING'])] File "c:\python34\lib\distutils\core.py", line 148, in setup dist.run_commands() File "c:\python34\lib\distutils\dist.py", line 966, in run_commands self.run_command(cmd) File "c:\python34\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "c:\python34\lib\site-packages\setuptools\command\install.py", line 61, in run return orig.install.run(self) File "c:\python34\lib\distutils\command\install.py", line 557, in run self.run_command(cmd_name) File "c:\python34\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "c:\python34\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "c:\python34\lib\distutils\command\install_data.py", line 56, in run dir = convert_path(f[0]) File "c:\python34\lib\distutils\util.py", line 112, in convert_path raise ValueError("path '%s' cannot end with '/'" % pathname) ValueError: path 'share/doc/pymath3d/' cannot end with '/' ---------------------------------------- Command "c:\python34\python.exe -u -c "import setuptools, tokenize;__file__='C:\\Users\\ALEN~1.KOL\\AppData\\Local\\Temp\\pip-install-jihuupoe\\math3d\\setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record C:\Users\ALEN~1.KOL\AppData\Local\Temp\pip-record-3r05scnh\install-record.txt --single-version-externally-managed --compile" failed with error code 1 in C:\Users\ALEN~1.KOL\AppData\Local\Temp\pip-install-jihuupoe\math3d\ 中删除标签。

请检查entity的官方解决方案

您需要在cakephp 3.X

中使用它 
model
相关问题
最新问题