避免使用XSS并允许一些带有JavaScript的html标签 [英] Avoid XSS and allow some html tags with JavaScript
问题描述
我当前的项目遇到了问题:
用户可以使用textarea发送电子邮件。我们允许用户输入他们想要的内容,从而允许用于格式化的HTML。
例如,应允许用户使用< b> 标记作为粗体文字。
I've got a problem in my current project:
Users can send an email using a textarea. We allow the user to put in whatever they want, and thus some HTML for formatting.
For example, the user should be allowed to use the <b> tag for bold text.
完成他们的电子邮件后,用户应该能够动态地查看他们的电子邮件预览。
After completing their email, the user should be able to view a preview of their email dynamically.
但是有一个小问题,我怎么能避免XSS黑客攻击正在显示预览?
There is a slight problem though, how can I avoid XSS hacks when the preview is being displayed?
您可以使用 underscore.js 来删除它们,但这不会格式化他们的预览。
You can ofcourse strip them using underscore.js, but that wouldn't format their preview.
所以我现在禁止所有HTML标签,只允许使用< hr> 等标签,< b> 等。
So I have forbidden all HTML tags for now, and only allowed tags like <hr>, <b>, etc.
您对此解决方案有何看法?它是否足够安全?
What do you think about this solution? Is it secure enough?
推荐答案
为了防止应用程序受到XSS攻击,我通常使用以下规则:
In order to prevent Application from XSS attacks I usually use following rules:
-
确定应用程序的安全级别。
有几种工具可以保护您的应用程序,因为我提供了更好的安全性 OWASP 工具: ESAPI 或 AntySami 。
注意:使用Sanitization并不能保证过滤所有恶意代码,因此工具的安全性可能更高或更低。
Determine the level of security for your application.
There are several tools that can protect your application as for me better security is provided by OWASP tools: ESAPI or AntySami.
Note:Using Sanitization does not guarantee filtering of all malicious code, so tools can be more or less secure.
了解您是否需要在客户端,服务器或双方执行清理。在大多数情况下,它足以在服务器端执行此操作。
Understand whether you need to perform sanitization on client, server or both sides. In most cases it's enough to do this on server side.
了解是否需要保留html标记(以及需要保留的标记)。如前所述,不允许使用html标签是更安全的解决方案。
Understand whether you need to preserve html tags (and what tags you need to preserve) or not. As it was stated previously not allowing html tags is more secure solution.
基于此,您可以找到一个正确的决定。$
1.我个人用于服务器代码清理,我使用 jSoup 。至于我这是非常好的工具。
通常为了检查输入漏洞我使用以下向量:
Based on this you can find a proper decision.
1. Personally for server code sanitization I used jSoup. As for me it's pretty good tool to do this.
Usually In order to check input vulnerability I am using following vector:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
- 如果您需要在客户端阻止XSS,您可以使用以下工具:
a) JSSANItazer 似乎有点过时
b)尘埃 - 由推特维护;
- In case you need prevent XSS on client side you can use following tools:
a) JSSANItazer seems a bit outdated
b) Dust - maintained by twitter;
这些工具可以让您轻松清理输入,主要是回答对于你的问题。
These tools easily can allow you to sanitize your input and mainly is answer for your question.
上面提到的服务器端工具。
Server side tools mentioned above.
关于第3点。
如果你不需要处理html标签,你可以在服务器端轻松使用ESAPI,并且客户端的ESAPI4JS 。据我所知它不适合你。
Regarding 3rd point. In case you don't need to handle html tags you can easily use ESAPI on server side and ESAPI4JS on client side. As I understand it doesn't work for you.
当我读到你的任务时,我知道你正在存储电子邮件消息因此在你的情况下需要清理服务器上的输入一边(使用工具之一),你可以在客户端添加或不添加。您只需要决定是在UI端添加另一个清理还是在服务器上呈现预览页面。
When I read your task I understood that you are storing email message therefore In your case it's required to sanitize input on server side (using one of tools) and it's as per you to add it or not on client side. You need only decide whether add another sanitization on UI side or render your "preview page" on server.
这篇关于避免使用XSS并允许一些带有JavaScript的html标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
