Home > Backend Development > PHP Tutorial > How to prevent XSS cross-site attacks in Laravel 5

How to prevent XSS cross-site attacks in Laravel 5

php中世界最好的语言
Release: 2023-03-23 15:08:01
Original
2300 people have browsed it

这次给大家带来Laravel 5怎么阻止XSS的跨站攻击,Laravel 5怎么阻止XSS跨站攻击的注意事项有哪些,下面就是实战案例,一起来看一下。

本文实例讲述了Laravel5中防止XSS跨站攻击的方法。小编分享给大家供大家参考,具体如下:

Laravel 5本身没有这个能力来防止xss跨站攻击了,但是这它可以使用Purifier 扩展包集成 HTMLPurifier 防止 XSS 跨站攻击。

1、安装

HTMLPurifier 是基于 PHP 编写的富文本 HTML 过滤器,通常我们可以使用它来防止 XSS 跨站攻击,更多关于 HTMLPurifier的详情请参考其官网:http://htmlpurifier.org/。Purifier 是在 Laravel 5 中集成 HTMLPurifier 的扩展包,我们可以通过 Composer 来安装这个扩展包:

composer require mews/purifier
Copy after login

安装完成后,在配置文件config/app.php的providers中注册HTMLPurifier服务提供者:

'providers' => [
 // ...
 MewsPurifierPurifierServiceProvider::class,
]
然后在aliases中注册Purifier门面:
'aliases' => [
 // ...
 'Purifier' => MewsPurifierFacadesPurifier::class,
]
Copy after login

2、配置

要使用自定义的配置,发布配置文件到config目录:

php artisan vendor:publish
Copy after login

这样会在config目录下生成一个purifier.php文件:

return [
 'encoding' => 'UTF-8',
 'finalize' => true,
 'preload' => false,
 'cachePath' => null,
 'settings' => [
  'default' => [
   'HTML.Doctype'    => 'XHTML 1.0 Strict',
   'HTML.Allowed'    => 'p,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
   'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
   'AutoFormat.AutoParagraph' => true,
   'AutoFormat.RemoveEmpty' => true
  ],
  'test' => [
   'Attr.EnableID' => true
  ],
  "youtube" => [
   "HTML.SafeIframe" => 'true',
   "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
  ],
 ],
];
Copy after login

3、使用示例

可以使用辅助函数clean:

clean(Input::get('inputname'));
Copy after login

或者使用Purifier门面提供的clean方法:

Purifier::clean(Input::get('inputname'));
Copy after login

还可以在应用中进行动态配置

clean('This is my H1 title', 'titles');
clean('This is my H1 title', array('Attr.EnableID' => true));
Copy after login

或者你也可以使用Purifier门面提供的方法:

Purifier::clean('This is my H1 title', 'titles');
Purifier::clean('This is my H1 title', array('Attr.EnableID' => true));
Copy after login

php防止xss攻击

<?PHP
function clean_xss(&$string, $low = False)
{
 if (! is_array ( $string ))
 {
 $string = trim ( $string );
 $string = strip_tags ( $string );
 $string = htmlspecialchars ( $string );
 if ($low)
 {
 return True;
 }
 $string = str_replace ( array (&#39;"&#39;, "\\", "&#39;", "/", "..", "../", "./", "//" ), &#39;&#39;, $string );
 $no = &#39;/%0[0-8bcef]/&#39;;
 $string = preg_replace ( $no, &#39;&#39;, $string );
 $no = &#39;/%1[0-9a-f]/&#39;;
 $string = preg_replace ( $no, &#39;&#39;, $string );
 $no = &#39;/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S&#39;;
 $string = preg_replace ( $no, &#39;&#39;, $string );
 return True;
 }
 $keys = array_keys ( $string );
 foreach ( $keys as $key )
 {
 clean_xss ( $string [$key] );
 }
}
//just a test
$str = &#39;<meta http-equiv="refresh" content="0;">';
clean_xss($str); //如果你把这个注释掉,你就知道xss攻击的厉害了
echo $str;
?>
Copy after login

相信看了本文案例你已经掌握了方法,更多精彩请关注php中文网其它相关文章!

推荐阅读:

PHP数组访问接口ArrayAccess使用详解

php如何统计二进制算法

The above is the detailed content of How to prevent XSS cross-site attacks in Laravel 5. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template