当前位置:网站首页>XSS prevention
XSS prevention
2022-07-02 03:52:00 【Doc_ ACwhite】
TP6 Packaging usage steps :
① Use composer Carry out orders , install ezyang/htmlpurifier Extended class library
Under project directory
composer require ezyang/htmlpurifier
② stay app/common.php In the definition of remove_xss function
if (!function_exists('remove_xss')) {
// Use htmlpurifier To guard against xss attack
function remove_xss($string){
// relative index.php Entrance file , introduce HTMLPurifier.auto.php Core documents
//require_once './plugins/htmlpurifier/HTMLPurifier.auto.php';
// Generate configuration object
$cfg = HTMLPurifier_Config::createDefault();
// Here is the configuration :
$cfg -> set('Core.Encoding', 'UTF-8');
// Set the allowed HTML label
$cfg -> set('HTML.Allowed','div,b,strong,i,em,a[href|title],ul,ol,li,br,p[style],span[style],img[width|height|alt|src]');
// Set the allowed CSS Style attribute
$cfg -> set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align');
// Set up a Is it allowed to use... On the label target="_blank"
$cfg -> set('HTML.TargetBlank', TRUE);
// Use configuration to generate objects for filtering
$obj = new HTMLPurifier($cfg);
// Filter strings
return $obj -> purify($string);
}
}
explain :htmlpurifier plug-in unit , It will filter out script The label and what the label contains js Code .
Middleware processes data
class Safe
{
/**
* Processing requests
*
* @param \think\Request $request
* @param \Closure $next
* @return Response
*/
public function handle($request, \Closure $next)
{
try {
//
# verification token 、 It can be added directly after the route
# Verification timestamp
$this->checkTime();
# Verify the signature
$this->checkSign();
return $next($request);
}catch (Exception $exception) {
return json($exception->getMessage());
}
}
/**
* Verification timestamp
* @throws Exception
*/
public function checkTime(){
$client_time = request()->get('timestamp') ?: request()->post('timestamp');
if (!is_numeric($client_time)) {
throw new Exception(' Incorrect timestamp format ');
}
if (time() - $client_time > 120) {
throw new Exception(' request timeout ');
}
}
/**
* Check the signature
*/
public function checkSign(){
$client_sign = request()->get('sign') ?: request()->post('sign');
# Determine whether there is a signature
if (!$client_sign) {
throw new Exception(' Incorrect signature ');
}
# Determine if the signature is correct
$server_sign = $this->getSign();
if ($client_sign != $server_sign) {
throw new Exception(' Incorrect signature ');
}
}
/**
* Get server signature
* @return string
*/
public function getSign(){
# Get the parameters of all requests
$params = request()->all();
# Signature rules
# First step The parameters participating in the signature do not include the signature itself 、 barring token
unset($params['sign']);
unset($params['token']);
# The second step according to ASCII Sort
ksort($params);
$wait_sign = '';
foreach ($params as $key=> $value) {
$wait_sign .= $key.'='.$value.'&';
}
# Remove the superfluous & Symbol
$wait_sign = rtrim($wait_sign,'&');
return md5($wait_sign);
}
}
Front end generation sign
<script src="../javaScript-MD5/js/md5.js"></script>
<script>
// # Get the parameters of all requests
// # Signature rules
// # First step The parameters participating in the signature do not include the signature itself 、 barring token
// # The second step according to ASCII Sort
// # Remove the superfluous & Symbol
var params = new Array();
params['id'] = 1;
params['name'] = ' Zhang San ';
var sign = createSign(params);
params['sign'] = sign;
var url = 'http://pyg.com/list?'
for (var i in params) {
url += i + '=' + params[i] + '&';
}
$.ajax({
url:url,
dataType:'json',
success:function (result) {
console.log(result);
}
})
function createSign(params) {
var timestamp = Math.ceil((new Date()).getTime()/1000);
params['timestamp'] = timestamp;
params.sort();
var wait_sign = ''
for (var i in params) {
wait_sign += i + '=' + params[i] + '&';
}
wait_sign = wait_sign.substr(0,wait_sign.length-1);
console.log(wait_sign)
sign = hex_md5(wait_sign)
return sign;
}
</script>
The second kind : Encapsulate global filtering method
Set the global filtering method to htmlspecialchars
[ This method will make the payment function of the initial version unusable ]
By default, the framework does not set any global filtering rules , You can app\Request Object filter Global filter properties :
namespace app;
class Request extends \think\Request
{
protected $filter = ['htmlspecialchars'];
}
边栏推荐
- Fourier series
- What is the logical structure of database file
- How about Ping An lifetime cancer insurance?
- Vite: scaffold assembly
- 毕设-基于SSM电影院购票系统
- Kotlin basic learning 17
- Introduction to Robotics II. Forward kinematics, MDH method
- 0 foundation how to learn automated testing? Follow these seven steps step by step and you will succeed
- 初识string+简单用法(二)
- Jetpack's livedata extension mediatorlivedata
猜你喜欢
First acquaintance with string+ simple usage (II)
The 8th Blue Bridge Cup single chip microcomputer provincial competition
滴滴开源DELTA:AI开发者可轻松训练自然语言模型
集成底座方案演示说明
Getting started with MQ
The first game of the 11th provincial single chip microcomputer competition of the Blue Bridge Cup
微信小程序中 在xwml 中使用外部引入的 js进行判断计算
Jetpack之LiveData扩展MediatorLiveData
MySQL index, transaction and storage engine
Introduction to Robotics II. Forward kinematics, MDH method
随机推荐
Oracle viewing locked tables and unlocking
滴滴开源DELTA:AI开发者可轻松训练自然语言模型
Unity脚本的基础语法(6)-特定文件夹
[punch in] flip the string (simple)
NLog use
Get started with Aurora 8b/10b IP core in one day (5) -- learn from the official routine of framing interface
VS2010 plug-in nuget
Blue Bridge Cup single chip microcomputer sixth temperature recorder
【DesignMode】原型模式(prototype pattern)
[yolo3d]: real time detection of end-to-end 3D point cloud input
5G时代全面到来,浅谈移动通信的前世今生
Oracle的md5
BiShe cinema ticket purchasing system based on SSM
The 11th Blue Bridge Cup single chip microcomputer provincial competition
Learn more about materialapp and common attribute parsing in fluent
树莓派GPIO引脚控制红绿灯与轰鸣器
How about Ping An lifetime cancer insurance?
Analyse de 43 cas de réseaux neuronaux MATLAB: Chapitre 42 opérations parallèles et réseaux neuronaux - - opérations parallèles de réseaux neuronaux basées sur CPU / GPU
软件测试人的第一个实战项目:web端(视频教程+文档+用例库)
go 函数