嘿,我正在制作一个网站,其中涉及为游戏服务器提交广告。我想知道是否可以从文本框的内容中删除PHP相关标签?好像我现在离开它,以后可能会成为安全风险。目前我对内容做的唯一事情是nl2br()。这样做的最佳方式是什么?
感谢。
答案 0 :(得分:1)
答案 1 :(得分:1)
有三种方法可以执行PHP代码:
eval() include() / require()包含PHP代码的文件有类似的东西:
<?php
$txt ="<" . "?php echo 'Hi mom!' ?" . ">";
echo $txt
不会神奇地让你的浏览器吐出“嗨妈妈!”。它会吐出PHP代码本身。
如果将上述代码放入文件并按如下方式输出:
$txt = file_get_contents('file_with_the_hi_mom_code.php');
echo $txt;
它也不会被执行 - 用户只会在屏幕上看到一些原始的PHP代码。
现在,如果你这样做:
include('file_with_the_hi_mom_code.php');
或
eval (file_get_contents('file_with_the_hi_mom_code.php'));
然后代码将被执行。
答案 2 :(得分:0)
所以,解决方案:
<?php
//here is content from the textarea (filled it for example)
$content = 'some <?php echo "test"; ?> <?=test?> content <br/> here';
$content = preg_replace('/<\?((?!\?>).)*\?>/s', '', $content); //strip all the php code
答案 3 :(得分:0)
您不必担心用户输入PHP代码。如果将它存储在字符串中并将其显示回来,它将永远不会被执行。您需要不遗余力地使用eval来实现这一目标。你可以自己试试:
$code = '<?php echo "hi"; ?>';
echo $code;
这没有做任何事情。
但是,您需要担心HTML。
$code = '<script>alert("hi");</script>';
echo $code;
这将起作用并提醒“嗨”。为了防止这种情况,您应该在使用htmlspecialchars显示之前清理用户获得的所有内容。
$code = '<script>alert("hi");</script>';
echo htmlspecialchars($code);
Here is a live example这里是a more complete answer on sanitization。
答案 4 :(得分:-1)
前言:这与php标签无关
首先,你必须决定那里允许的角色是什么,哪些不是。尽量限制这些(并且可以使用正则表达式进行检查)。
然后,防范XSS。 下面是一段用于此的代码(作为示例):
public function clean_xss($str, $charset = 'ISO-8859-1') {
/*
* Remove Null Characters
*
* This prevents sandwiching null characters
* between ascii characters, like Java\0script.
*
*/
$str = preg_replace('/\0+/', '', $str);
$str = preg_replace('/(\\\\0)+/', '', $str);
/*
* Validate standard character entities
*
* Add a semicolon if missing. We do this to enable
* the conversion of entities to ASCII later.
*
*/
$str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
/*
* Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
*
*/
$str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str);
/*
* URL Decode
*
* Just in case stuff like this is submitted:
*
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
*
* Note: Normally urldecode() would be easier but it removes plus signs
*
*/
$str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
$str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
if (preg_match_all("/<(.+?)>/si", $str, $matches)) {
for ($i = 0; $i < count($matches['0']); $i++) {
$str = str_replace($matches['1'][$i],
html_entity_decode($matches['1'][$i], ENT_COMPAT, $charset), $str);
}
}
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* Note: we deal with spaces between characters later.
*
*/
$str = preg_replace("#\t+#", " ", $str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn't seem to pose a problem.
*
*/
$str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('<?php', '<?PHP', '<?', '?>'), $str);
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*
*/
$words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
foreach ($words as $word) {
$temp = '';
for ($i = 0; $i < strlen($word); $i++) {
$temp .= substr($word, $i, 1)."\s*";
}
$temp = substr($temp, 0, -3);
$str = preg_replace('#'.$temp.'#s', $word, $str);
$str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
}
/*
* Remove disallowed Javascript in links or img tags
*/
$str = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $str);
$str = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si","", $str);
$str = preg_replace("#<(script|xss).*?\>#si", "", $str);
/*
* Remove JavaScript Event Handlers
*
* Note: This code is a little blunt. It removes
* the event handler and anything up to the closing >,
* but it's unlikely to be a problem.
*
*/
$str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU',"\\1>",$str);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*
*/
$str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval('some code')
* Becomes: eval('some code')
*
*/
$str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str);
/*
* Final clean up
*
* This adds a bit of extra precaution in case
* something got through the above filters
*
*/
$bad = array(
'document.cookie' => '',
'document.write' => '',
'window.location' => '',
"javascript\s*:" => '',
"Redirect\s+302" => '',
'<!--' => '<!--',
'-->' => '-->'
);
foreach ($bad as $key => $val) {
$str = preg_replace("#".$key."#i", $val, $str);
}
return $str;
}