我有一个值,最终会成为html id=属性。我无法控制设置值的内容,因此可能不安全。我知道检查单引号和双引号,但是我要检查以确保它干净吗?
variables.result &= '<div class="alert alert-danger"';
if(attributes.id != "") variables.result &= ' id="#attributes.id#"';
答案 0 :(得分:1)
如果我理解正确,那么这可能是您正在寻找的:
http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
编辑:在PHP中:
What's the best method for sanitizing user input with PHP?
EDIT2:没有看到你正在使用coldfusion,也许就是这样:
答案 1 :(得分:1)
如果使用ColdFusion生成变量名,您可以使用&#34;变量&#34; Inflector CFC的方法。它会将任何字符串转换为安全的下划线分隔列表,该列表可用作ColdFusion变量名称。 (Inflector基于Ruby on Rails ActiveSupport :: Inflector类。)
https://github.com/timblair/coldfusion-inflector
<cffunction name="variablise" access="public" returntype="string" output="no" hint="Converts a string to a variable name, e.g. CamelCase becomes camel_case, 'big CSSDogThing' becomes big_css_dog_thing etc.">
<cfargument name="string" type="string" required="yes" hint="The string to variablise">
<cfset arguments.string = replace(trim(rereplace(arguments.string, "([^[:alnum:]_-]+)", " ", "ALL")), " ", "-", "ALL")>
<cfset arguments.string = rereplace(arguments.string, "([A-Z]+)([A-Z][a-z])", "\1_\2", "ALL")>
<cfset arguments.string = rereplace(arguments.string, "([a-z\d])([A-Z])", "\1_\2", "ALL")>
<cfreturn lcase(replace(arguments.string, "-", "_", "ALL"))>
</cffunction>