How to prevent xss attacks in yii2-YII-php.cn

Home

PHP Framework

YII

How to prevent xss attacks in yii2

藏色散人

Jul 20, 2020 am 09:55 AM

yii2

yii2防止xss攻击的方法：首先定义一个用于防xss攻击的“actionClean”方法；然后在方法体内实现去除特殊字符；最后调用该方法即可。

How to prevent xss attacks in yii2

PHP中常用到的方法有：

推荐：《yii教程》

 /*  防sql注入,xss攻击  (1)*/
    function actionClean($str)
    {
        $str=trim($str);
        $str=strip_tags($str);
        $str=stripslashes($str);
        $str=addslashes($str);
        $str=rawurldecode($str);
        $str=quotemeta($str);
        $str=htmlspecialchars($str);
        //去除特殊字符
        $str=preg_replace("/\/|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\+|\{|\}|\:|\<|\>|\?|\[|\]|\,|\.|\/|\;|\&#39;|\`|\-|\=|\\\|\|/", "" , $str);
        $str=preg_replace("/\s/", "", $str);//去除空格、换行符、制表符
        return $str;
    }


    //防止sql注入。xss攻击(1)
    public function actionFilterArr($arr)
    {
        if(is_array($arr)){
            foreach($arr as $k => $v){
                $arr[$k] = $this->actionFilterWords($v);
            }
        }else{
            $arr = $this->actionFilterWords($arr);
        }
        return $arr;
    }


    //防止xss攻击
   public function actionFilterWords($str)
    {
        $farr = array(
            "/<(\\/?)(script|i?frame|style|html|body|title|link|meta|object|\\?|\\%)([^>]*?)>/isU",
            "/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU",
            "/select|insert|update|delete|drop|\&#39;|\/\*|\*|\+|\-|\"|\.\.\/|\.\/|union|into|load_file|outfile|dump/is"
        );
        $str = preg_replace($farr,&#39;&#39;,$str);
        return $str;
    }

    //防止sql注入,xss攻击(2)
    public function post_check($post) {
      if(!get_magic_quotes_gpc()) {
          foreach($post as $key=>$val){
             $post[$key]  = addslashes($val);
          }
        }
      foreach($post as $key=>$val){
        //把"_"过滤掉
        $post[$key] = str_replace("_", "\_", $val);
        //把"%"过滤掉
        $post[$key] = str_replace("%", "\%", $val); //sql注入
        $post[$key] = nl2br($val);
        //转换html
        $post[$key] = htmlspecialchars($val); //xss攻击
      }
      return $post;
  }

调用：

(必须放在接收数据之外)

注意：

表单提交值，为防止csrf攻击，控制器中需要加上：

The above is the detailed content of How to prevent xss attacks in yii2. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Yii in Action: Real-World Examples and ApplicationsApr 19, 2025 am 12:03 AM

The Yii framework is suitable for developing web applications of all sizes, and its advantages lie in its high performance and rich feature set. 1) Yii adopts an MVC architecture, and its core components include ActiveRecord, Widget and Gii tools. 2) Through the request processing process, Yii efficiently handles HTTP requests. 3) Basic usage shows a simple example of creating controllers and views. 4) Advanced usage demonstrates the flexibility of database operations through ActiveRecord. 5) Debugging skills include using the debug toolbar and logging system. 6) Performance optimization It is recommended to use cache and database query optimization, follow coding specifications and dependency injection to improve code quality.

How to display error prompts in yii2Apr 18, 2025 pm 11:09 PM

In Yii2, there are two main ways to display error prompts. One is to use Yii::$app->errorHandler->exception() to automatically catch and display errors when an exception occurs. The other is to use $this->addError(), which displays an error when model validation fails and can be accessed in the view through $model->getErrors(). In the view, you can use if ($errors = $model->getErrors())

What are the differences between yi2 and tp5Apr 18, 2025 pm 11:06 PM

With the continuous development of PHP framework technology, Yi2 and TP5 have attracted much attention as the two mainstream frameworks. They are all known for their outstanding performance, rich functionality and robustness, but they have some differences and advantages and disadvantages. Understanding these differences is crucial for developers to choose frameworks.

What software is better for yi framework? Recommended software for yi frameworkApr 18, 2025 pm 11:03 PM

Abstract of the first paragraph of the article: When choosing software to develop Yi framework applications, multiple factors need to be considered. While native mobile application development tools such as XCode and Android Studio can provide strong control and flexibility, cross-platform frameworks such as React Native and Flutter are becoming increasingly popular with the benefits of being able to deploy to multiple platforms at once. For developers new to mobile development, low-code or no-code platforms such as AppSheet and Glide can quickly and easily build applications. Additionally, cloud service providers such as AWS Amplify and Firebase provide comprehensive tools

How to limit the rate of Yi2Apr 18, 2025 pm 11:00 PM

The Yi2 Rate Limiting Guide provides users with a comprehensive guide to how to control the data transfer rate in Yi2 applications. By implementing rate limits, users can optimize application performance, prevent excessive bandwidth consumption and ensure stable and reliable connections. This guide will introduce step-by-step how to configure the rate limit settings of Yi2, covering a variety of platforms and scenarios to meet the different needs of users.

What is the yii framework? Tutorial on how to use yii frameworkApr 18, 2025 pm 10:57 PM

Article Summary: Yii Framework is an efficient and flexible PHP framework for creating dynamic and scalable web applications. It is known for its high performance, lightweight and easy to use features. This article will provide a comprehensive tutorial on the Yii framework, covering everything from installation to configuration to development of applications. This guide is designed to help beginners and experienced developers take advantage of the power of Yii to build reliable and maintainable web solutions.

The latest tutorial on how to call public functionsApr 18, 2025 pm 10:54 PM

This article introduces the latest tutorial on calling public functions, which is implemented in Easy Language (Yi) language. For beginners, easy-to-language programming languages are easy to learn, and this article provides a detailed step-by-step guide to help users master how to call public functions in Yi applications. By following this tutorial, users will learn how to define, load, and call common functions, thereby enhancing their code reusability and flexibility.

What is yii2? What are the advantages and disadvantages of yii2?Apr 18, 2025 pm 10:51 PM

Yii2 is a powerful PHP framework that has been widely praised by developers. With its high performance, scalability and user-friendly interface, it becomes ideal for building large, complex web applications. However, like any framework, Yii2 has some advantages and disadvantages to consider.

See all articles