Home>Article>PHP Framework> ThinkPHP’s method to prevent XSS attacks
This article introduces how to set up TP to prevent XSS attacks. I hope it will be helpful to friends who are learning ThinkPHP!
ThinkPHP's method to prevent XSS attacks
1 If your project does not have a rich text editor then you can use The global filtering method is to add htmlspecialchars to the config configuration file under the application
// 默认全局过滤方法 用逗号分隔多个 'default_filter' => 'htmlspecialchars',
If you have a rich text editor, it is not suitable to use this kind of anti-XSS attack
(Recommended tutorial:thinkphp tutorial)
Then use composer to install the plug-in to handle the
command
composer require ezyang/htmlpurifier
After the installation is successful, add the following code to common.php under the application where the public functions are placed
if (!function_exists('remove_xss')) { //使用htmlpurifier防范xss攻击 function remove_xss($string){ //composer安装的,不需要此步骤。相对index.php入口文件,引入HTMLPurifier.auto.php核心文件 // require_once './plugins/htmlpurifier/HTMLPurifier.auto.php'; // 生成配置对象 $cfg = HTMLPurifier_Config::createDefault(); // 以下就是配置: $cfg -> set('Core.Encoding', 'UTF-8'); // 设置允许使用的HTML标签 $cfg -> set('HTML.Allowed','div,b,strong,i,em,a[href|title],ul,ol,li,br,p[style],span[style],img[width|height|alt|src]'); // 设置允许出现的CSS样式属性 $cfg -> set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align'); // 设置a标签上是否允许使用target="_blank" $cfg -> set('HTML.TargetBlank', TRUE); // 使用配置生成过滤用的对象 $obj = new HTMLPurifier($cfg); // 过滤字符串 return $obj -> purify($string); }
Then add the config.php configuration file in the application directory
Change this filtering method to that method name
You can use this by combining the use of the framework and the use of plug-ins. The above code can be used directly
You can also perform xss verification on a certain field
1 Modify the command file and change it to this 'default_filter' => 'htmlspecialchars',
2 Then when you want Change the changed field to
Related recommendations:
PHP video tutorial, learning address:https:// m.sbmmt.com/course/list/29/type/2.html
The above is the detailed content of ThinkPHP’s method to prevent XSS attacks. For more information, please follow other related articles on the PHP Chinese website!