從笨config.php文件:@ URL中允許的字符,是否危險?
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
難道是安全的,我到@
字符添加到允許的字符這個名單?有什麼風險?
感謝
這是'%'而不允許的。 – Gumbo 2010-11-08 07:32:29
@Gumbo,應該允許 - 再次閱讀代碼註釋。 – 2010-11-08 07:34:04
@ J-16 SDiZ:所以'foo%〜bar'被允許但顯然無效。 – Gumbo 2010-11-08 07:37:09