开发者

Input validation check

开发者 https://www.devze.com 2023-01-16 06:12 出处:网络
In my website I have a forum, and I want to avoid cross site s开发者_C百科cripting. Do you know a good input validation script?There are two ways to avoid Cross Site Scripting.

In my website I have a forum, and I want to avoid cross site s开发者_C百科cripting. Do you know a good input validation script?


There are two ways to avoid Cross Site Scripting.

  1. Filter the inputs by the users (mainly script tags and html tags) both at client side as well as on server side.
  2. Display the contents as Html entities to avoid Cross Site Scripting. Ofcourse if you want to show some of the tags, go for option one. Otherwise option two is more reliable.

You can use regular expressions to filter the data both on client side as well as on server side.


I've always relied on the OWASP PHP filters: http://www.owasp.org/index.php/OWASP_PHP_Filters As you can tell from the name, they're server-side (JavaScript or HTML5 validation is only useful for assisting the user) and OWASP (the Open Web Application Security Project) is a non-profit organisation.


It depends on where do you want to write out the data. For example you need different filter when you write the text into an input field and when you write it simply into the html body, between two tags.

You should implement different filters for the different data types on server side. I suggest you should filter the text when it's printed out, and not when the user sends it to you(of course it's not about sql injections and other server side tricks), because (as I mentioned above) the type of the filter you should use is depends on where the data is printed out.

If you want to write a really simple forum, then it's enough to write only one filter, wich simply removes all html tags from the text before it's printed out. Beware, it's not good for advanced functions, for example edit comments, when you prefill a form for the user, or if the users can use any html tag in their comments, etc.


Simple. Make sure you escape the HTML from your input object before using it. This way, the data sent will be treated as raw text. The way to do this will be to pass the input through some parser before embedding the data in your page (or working with it somehow).


I agree with anand that there are two major ways to avoid XSS: validation on input and escaping on output. For validating form input, tie into Django's Form Validation Framework: http://code.google.com/appengine/articles/djangoforms.html

Here are some code samples for sanitizing on output within a Django templating. Instead of this:

Welcome, {{ firstname }}!

Do this:

Welcome, {{ firstname|escape }}!

This is from this very good blog post: http://startupsecurity.info/blog/2008/10/28/avoid-xss-on-google-app-engine/


Server Side

http://www.php.net/manual/en/function.html-entity-decode.php

http://www.php.net/manual/en/function.addslashes.php

http://www.php.net/manual/en/function.stripslashes.php

Check more string functions you need to validate

Client Side

http://www.position-relative.net/creation/formValidator/

better to write your own jquery code, in future it may help you


You have two option for validation. for non-sensitive data client side JavaScript may be use. in JavaScript, you can write simple function for validating your data.

for sensitive data, you should be use server side scripting like, php,jsp,asp,asp.net etc.

may this will help you.

0

精彩评论

暂无评论...
验证码 换一张
取 消