我们何时需要使用 `sw_sanitize`?

huangapple go评论63阅读模式
英文:

When do we need to use `sw_sanitize`?

问题

消毒用户输入很重要,以防止潜在的安全漏洞,如跨站脚本(XSS)攻击。在Shopware 6中,有一个名为sw_sanitize的过滤器可用于此目的。在模板中,它们主要用于翻译的片段,比如detail.productNumberLabel。当深入研究模板时,可以看到对于许多实体属性,消毒被跳过,例如page.product.translated.name。对此的考虑是什么?在我看来,这些值也应该进行消毒,但也许我漏掉了什么?

英文:

Sanitizing user input is important to prevent potential security vulnerabilities such as cross-site scripting (XSS) attacks. In Shopware 6 there's a filter sw_sanitize for that. In the templates they mostly use it for translated snippets like detail.productNumberLabel. When digging in the templates one can see that for a lot of entity properties, sanitizing is skipped, for example with page.product.translated.name. What's the thinking about this? IMO these values should also be sanitized but maybe I am missing something?

答案1

得分: 3

产品名称属于 StringField 类型,如您可以在 ProductTranslationDefinition 中看到的。这些字段在 StringFieldSerializer 中会自动进行清理,该序列化器调用了 AbstractFieldSerializersanitize 方法。

另一方面,"productNumberLabel" 是一个片段,可以由商家覆盖。因此,在显示时需要确保正确进行清理。

英文:

The product name is of type StringField, as you can see in the ProductTranslationDefinition. Those fields are sanitized automatically within the StringFieldSerializer, which is calling the sanitize method of the AbstractFieldSerializer.

The "productNumberLabel" on the other side is a snippet which could be overwritten by the merchant. So it needs to be made sure, that it is sanitized correctly, while it is displayed.

答案2

得分: 2

以下是翻译好的内容:

一般只有在允许显示基本HTML标签时才应使用 sw_sanitize,例如 <b><i>,...
在TWIG中,默认情况下,autoescaping 是开启的,因此所有值都会被转义。这在文档中有说明 https://twig.symfony.com/doc/3.x/templates.html#html-escaping

当从模板生成HTML时,始终存在一个变量可能包含影响生成的HTML的字符的风险。有两种方法:手动转义每个变量或默认情况下自动转义所有内容。

Twig 支持这两种方式,默认情况下启用自动转义。

英文:

One should only use sw_sanitize when basic html tags are allowed to be displayed, like <b>,<i>,...
By default, autoescaping is on in TWIG so all values are escaped. This is stated in the docs https://twig.symfony.com/doc/3.x/templates.html#html-escaping
> When generating HTML from templates, there's always a risk that a variable will include characters that affect the resulting HTML. There are two approaches: manually escaping each variable or automatically escaping everything by default.
>
>Twig supports both, automatic escaping is enabled by default.

huangapple
  • 本文由 发表于 2023年7月13日 14:26:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/76676485.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定