当前位置:网站首页>XSS prevention
XSS prevention
2022-07-02 03:52:00 【Doc_ ACwhite】
TP6 Packaging usage steps :
① Use composer Carry out orders , install ezyang/htmlpurifier Extended class library
Under project directory
composer require ezyang/htmlpurifier
② stay app/common.php In the definition of remove_xss function
if (!function_exists('remove_xss')) {
// Use htmlpurifier To guard against xss attack
function remove_xss($string){
// relative index.php Entrance file , introduce HTMLPurifier.auto.php Core documents
//require_once './plugins/htmlpurifier/HTMLPurifier.auto.php';
// Generate configuration object
$cfg = HTMLPurifier_Config::createDefault();
// Here is the configuration :
$cfg -> set('Core.Encoding', 'UTF-8');
// Set the allowed HTML label
$cfg -> set('HTML.Allowed','div,b,strong,i,em,a[href|title],ul,ol,li,br,p[style],span[style],img[width|height|alt|src]');
// Set the allowed CSS Style attribute
$cfg -> set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align');
// Set up a Is it allowed to use... On the label target="_blank"
$cfg -> set('HTML.TargetBlank', TRUE);
// Use configuration to generate objects for filtering
$obj = new HTMLPurifier($cfg);
// Filter strings
return $obj -> purify($string);
}
}
explain :htmlpurifier plug-in unit , It will filter out script The label and what the label contains js Code .
Middleware processes data
class Safe
{
/**
* Processing requests
*
* @param \think\Request $request
* @param \Closure $next
* @return Response
*/
public function handle($request, \Closure $next)
{
try {
//
# verification token 、 It can be added directly after the route
# Verification timestamp
$this->checkTime();
# Verify the signature
$this->checkSign();
return $next($request);
}catch (Exception $exception) {
return json($exception->getMessage());
}
}
/**
* Verification timestamp
* @throws Exception
*/
public function checkTime(){
$client_time = request()->get('timestamp') ?: request()->post('timestamp');
if (!is_numeric($client_time)) {
throw new Exception(' Incorrect timestamp format ');
}
if (time() - $client_time > 120) {
throw new Exception(' request timeout ');
}
}
/**
* Check the signature
*/
public function checkSign(){
$client_sign = request()->get('sign') ?: request()->post('sign');
# Determine whether there is a signature
if (!$client_sign) {
throw new Exception(' Incorrect signature ');
}
# Determine if the signature is correct
$server_sign = $this->getSign();
if ($client_sign != $server_sign) {
throw new Exception(' Incorrect signature ');
}
}
/**
* Get server signature
* @return string
*/
public function getSign(){
# Get the parameters of all requests
$params = request()->all();
# Signature rules
# First step The parameters participating in the signature do not include the signature itself 、 barring token
unset($params['sign']);
unset($params['token']);
# The second step according to ASCII Sort
ksort($params);
$wait_sign = '';
foreach ($params as $key=> $value) {
$wait_sign .= $key.'='.$value.'&';
}
# Remove the superfluous & Symbol
$wait_sign = rtrim($wait_sign,'&');
return md5($wait_sign);
}
}
Front end generation sign
<script src="../javaScript-MD5/js/md5.js"></script>
<script>
// # Get the parameters of all requests
// # Signature rules
// # First step The parameters participating in the signature do not include the signature itself 、 barring token
// # The second step according to ASCII Sort
// # Remove the superfluous & Symbol
var params = new Array();
params['id'] = 1;
params['name'] = ' Zhang San ';
var sign = createSign(params);
params['sign'] = sign;
var url = 'http://pyg.com/list?'
for (var i in params) {
url += i + '=' + params[i] + '&';
}
$.ajax({
url:url,
dataType:'json',
success:function (result) {
console.log(result);
}
})
function createSign(params) {
var timestamp = Math.ceil((new Date()).getTime()/1000);
params['timestamp'] = timestamp;
params.sort();
var wait_sign = ''
for (var i in params) {
wait_sign += i + '=' + params[i] + '&';
}
wait_sign = wait_sign.substr(0,wait_sign.length-1);
console.log(wait_sign)
sign = hex_md5(wait_sign)
return sign;
}
</script>
The second kind : Encapsulate global filtering method
Set the global filtering method to htmlspecialchars
[ This method will make the payment function of the initial version unusable ]
By default, the framework does not set any global filtering rules , You can app\Request Object filter Global filter properties :
namespace app;
class Request extends \think\Request
{
protected $filter = ['htmlspecialchars'];
}
边栏推荐
- The fourth provincial competition of Bluebridge cup single chip microcomputer
- Which is better, industrial intelligent gateway or edge computing gateway? How to choose the right one?
- SQL:常用的 SQL 命令
- 蓝桥杯单片机第六届温度记录器
- MySQL index, transaction and storage engine
- The 10th Blue Bridge Cup single chip microcomputer provincial competition
- Xlwings drawing
- Basic syntax of unity script (8) - collaborative program and destruction method
- Lost a few hairs, and finally learned - graph traversal -dfs and BFS
- [untitled] basic operation of raspberry pie (2)
猜你喜欢
[personal notes] PHP common functions - custom functions
[tips] use Matlab GUI to read files in dialog mode
Hands on deep learning (II) -- multi layer perceptron
"Analysis of 43 cases of MATLAB neural network": Chapter 42 parallel operation and neural network - parallel neural network operation based on cpu/gpu
go 包的使用
Basic operations of MySQL database (based on tables)
【IBDFE】基于IBDFE的频域均衡matlab仿真
The 8th Blue Bridge Cup single chip microcomputer provincial competition
First acquaintance with string+ simple usage (II)
Pycharm2021 delete the package warehouse list you added
随机推荐
The 9th Blue Bridge Cup single chip microcomputer provincial competition
BiShe cinema ticket purchasing system based on SSM
Account management of MySQL
Pandora IOT development board learning (HAL Library) - Experiment 2 buzzer experiment (learning notes)
QT designer plug-in implementation of QT plug-in
高性能 低功耗Cortex-A53核心板 | i.MX8M Mini
Is the product of cancer prevention medical insurance safe?
Blue Bridge Cup single chip microcomputer sixth temperature recorder
Getting started with MQ
What is the logical structure of database file
L'avènement de l'ère 5G, une brève discussion sur la vie passée et présente des communications mobiles
MD5 of Oracle
潘多拉 IOT 开发板学习(HAL 库)—— 实验2 蜂鸣器实验(学习笔记)
Nacos 配置中心整体设计原理分析(持久化,集群,信息同步)
蓝桥杯单片机数码管技巧
Monkey test
蓝桥杯单片机第六届温度记录器
Basic operations of MySQL database (based on tables)
Object oriented thinking
Visual slam Lecture 3 -- Lie groups and Lie Algebras