search
Homephp教程PHP开发Methods to prevent XSS cross-site attacks in Laravel5

本文实例讲述了Laravel5中防止XSS跨站攻击的方法。分享给大家供大家参考,具体如下:

Laravel 5本身没有这个能力来防止xss跨站攻击了,但是这它可以使用Purifier 扩展包集成 HTMLPurifier 防止 XSS 跨站攻击。

1、安装

HTMLPurifier 是基于 PHP 编写的富文本 HTML 过滤器,通常我们可以使用它来防止 XSS 跨站攻击,更多关于 HTMLPurifier的详情请参考其官网:http://htmlpurifier.org/。Purifier 是在 Laravel 5 中集成 HTMLPurifier 的扩展包,我们可以通过 Composer 来安装这个扩展包:

composer require mews/purifier

   

安装完成后,在配置文件config/app.php的providers中注册HTMLPurifier服务提供者:

'providers' => [
 // ...
 Mews\Purifier\PurifierServiceProvider::class,
]
然后在aliases中注册Purifier门面:
'aliases' => [
 // ...
 'Purifier' => Mews\Purifier\Facades\Purifier::class,
]

   

2、配置

要使用自定义的配置,发布配置文件到config目录:

php artisan vendor:publish

   

这样会在config目录下生成一个purifier.php文件:

return [
 'encoding' => 'UTF-8',
 'finalize' => true,
 'preload' => false,
 'cachePath' => null,
 'settings' => [
  'default' => [
   'HTML.Doctype'    => 'XHTML 1.0 Strict',
   'HTML.Allowed'    => 'div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
   'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
   'AutoFormat.AutoParagraph' => true,
   'AutoFormat.RemoveEmpty' => true
  ],
  'test' => [
   'Attr.EnableID' => true
  ],
  "youtube" => [
   "HTML.SafeIframe" => 'true',
   "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
  ],
 ],
];

   

3、使用示例

可以使用辅助函数clean:

clean(Input::get('inputname'));

   

或者使用Purifier门面提供的clean方法:

Purifier::clean(Input::get('inputname'));

   

还可以在应用中进行动态配置:

clean('This is my H1 title', 'titles');
clean('This is my H1 title', array('Attr.EnableID' => true));

   

或者你也可以使用Purifier门面提供的方法:

Purifier::clean('This is my H1 title', 'titles');
Purifier::clean('This is my H1 title', array('Attr.EnableID' => true));

   

php防止xss攻击

<?PHP
function clean_xss(&$string, $low = False)
{
 if (! is_array ( $string ))
 {
 $string = trim ( $string );
 $string = strip_tags ( $string );
 $string = htmlspecialchars ( $string );
 if ($low)
 {
 return True;
 }
 $string = str_replace ( array (&#39;"&#39;, "\\", "&#39;", "/", "..", "../", "./", "//" ), &#39;&#39;, $string );
 $no = &#39;/%0[0-8bcef]/&#39;;
 $string = preg_replace ( $no, &#39;&#39;, $string );
 $no = &#39;/%1[0-9a-f]/&#39;;
 $string = preg_replace ( $no, &#39;&#39;, $string );
 $no = &#39;/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S&#39;;
 $string = preg_replace ( $no, &#39;&#39;, $string );
 return True;
 }
 $keys = array_keys ( $string );
 foreach ( $keys as $key )
 {
 clean_xss ( $string [$key] );
 }
}
//just a test
$str = &#39;jb51.net<meta http-equiv="refresh" content="0;">&#39;;
clean_xss($str); //如果你把这个注释掉,你就知道xss攻击的厉害了
echo $str;
?>

   

希望本文所述对大家基于Laravel框架的PHP程序设计有所帮助。

更多Laravel5中防止XSS跨站攻击的方法相关文章请关注PHP中文网!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

MantisBT

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment