开发者

How do I protect against HTML injection in a URL form field with PHP?

问答 作者:

For example if I am colecting a [URL value] in a form, saving that [URL value] in a database, and then using it in a page like this:

<a href="[URL value]" > The Link </a>

How do I protect against this [URL value]:

http://www.somelink.com"> Evil text or can be empty </a>  ALL THE EVIL HTML I WANT  <a href="

How can I protect against this kind of HTML injection for URL f开发者_如何学运维orm fileds without breaking the URL in case it is valid ?

When receiving the URL on the form:

  • Use filter_var(url, FILTER_VALIDATE_URL) to ensure the URL is in a valid format.
  • Ensure the URL starts with http:// or https:// (or at least reject all javascript: URL as they can include malignant code)
  • Use prepared statements when inserting the URL (and other form data) in the database or properly escape that data to prevent SQL injections.


When displaying the page:

  • Use htmlspecialchars() to escape the URL (and all other text) that you insert in the HTML.

The simplest way to do that would be to check that the input contains what looks like a syntactically valid url, with no characters such as > which are not allowed in URL's. The easiest way to do that is using the filter extension. The code to do it would be like this:

if (filter_var($url, FILTER_VALIDATE_URL)) {
    //Valid URL submitted
} else {
    //Invalid URL submitted
}

EDIT: Just use urlencode, do not use htmlentities as well

Whenever you put data into the key/value pairs of a URL, you should encode that data using urlencode(). This function will take care of any special characters that syntactic meaning in the way URLs are meant to be constructed. Ampersands, equal signs and question marks will be encoded for you. All the angle brackets AND new line characters in the inject HTML will be encoded too!

<?php $TheVariable = $_REQUEST['suspect_var']; // Untrusted data ?>


<a href="http://www.mysite.com/script.php?untrusted_data=<?php echo urlencode($TheVariable) ?>">The Link</a>

For escaping when displaying use htmlentities($var, ENT_QUOTES) or htmlspecialchars($var, ENT_QUOTES). It's needed to escape both single and double quotes because of browser-specific XSS payloads. Check here - http://ha.ckers.org/xss2.html

Also, when validating URL javascript: URI is not the only one dangerous. Other one is data: URI.

Anyway, it's always more secure to exclude everything except whitelisted, then to include everything except black-listed.

Use urlencode to encode just the " sign when printing the url, like:

echo '<a href="'.str_replace('"', urlencode('"'), $url).'">link name</a>';

继续阅读:code-injectionphpxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9