频道栏目
首页 > 安全 > 网站安全 > 正文

php函数htmlentities默认参数不过滤'导致xss攻击

2007-12-01 08:56:16           
收藏   我要投稿

Gareth Heyes在他的blog上发了一个"htmlentities is badly designed": http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/

大意就是说在默认参数下htmlentities不会过滤导致xss等, php手册里的描叙:

htmlentities
(PHP 3, PHP 4, PHP 5)

htmlentities -- Convert all applicable characters to HTML entities
Description
string htmlentities ( string string [, int quote_style [, string charset]] )

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

Like htmlspecialchars(), the optional second quote_style parameter lets you define what will be done with single and "double" quotes. It takes on one of three constants with the default being ENT_COMPAT:

表格 1. Available quote_style constants

Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.

在htmlspecialchars里:

& (ampersand) becomes &

" (double quote) becomes " when ENT_NOQUOTES is not set.

(single quote) becomes ' only when ENT_QUOTES is set.

< (less than) becomes &lt;

> (greater than) becomes &gt;

所以使用htmlentities($variable, ENT_QUOTES);要比htmlentities($variable);安全. 但是htmlentities()只是一个字符处理的函数,在很多情况下 可能导致xss等的攻击,例如编码:utf7,utf8...

测试一下:

<?php
echo htmlspecialchars($_GET[url], ENT_QUOTES);
?>

提交:url=%2bADw-SCRIPT%2bAD4-alert(document.cookie)%2bADw-%2fSCRIPT%2bAD4-

还有很多2次编码的情况也有可能pass htmlentities

相关TAG标签 函数 参数
上一篇:JS解决网站防挂IFRAME木马方案
下一篇:xp_cmdshell的删除及恢复
相关文章
图文推荐
文章
推荐
热门新闻

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站