从笨config.php文件:@ URL中允许的字符,是否危险?
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
难道是安全的,我到@
字符添加到允许的字符这个名单?有什么风险?
感谢
这是'%'而不允许的。 – Gumbo 2010-11-08 07:32:29
@Gumbo,应该允许 - 再次阅读代码注释。 – 2010-11-08 07:34:04
@ J-16 SDiZ:所以'foo%〜bar'被允许但显然无效。 – Gumbo 2010-11-08 07:37:09