安全Node.js聊天(避免XSS) [英] Secure Node.js chat (avoid XSS)
问题描述
我正在与Node.js建立简单的小聊天和socket.io
当用户输入他的消息时,它会被广播给所有其他用户。 / p>
服务器发送消息:
io.sockets.emit(' fromServerToClient',{message:message});
客户显示它:
socket.on('fromServerToClient',function(data){
$('#messages')。append(data.message +'< br />');
});
但是当您发送类似< script> alert(1)的内容时; < / script> ,它在每个客户端浏览器上执行。
这是一个严重的安全漏洞,我想尽量避免它尽可能。
我看到有人逃脱&,<,>和字符,但我认为这还不够!
我如何100%确定没有XSS漏洞聊天?
顺便说一句,我总是指定字符集来避免UTF-7攻击。
谢谢你你的帮助。
不要使用 .html()因为这基本上是 eval 类固醇 - 能够解释各种语言。
文本总是被解释尽管如此:
$('#messages')。append($(< div>,{
text:data.message
}));
I'm building a simple little chat with Node.js and socket.io
When a user types his message, it is broadcasted to all other users.
Server sends the message :
io.sockets.emit('fromServerToClient', { "message": message });
Client displays it :
socket.on('fromServerToClient', function (data) {
$('#messages').append(data.message + '<br />');
});
But when you send something like <script>alert(1);</script>, it is executed on every client browser.
This is a serious security flaw and I want to avoid it as much as possible.
I've seen people escape &, <, > and " characters, but I don't think it's enough!
How can I be 100% sure of not having a XSS vulnerability on my chat?
By the way, I always specify the charset to avoid UTF-7 attacks.
Thanks for your help.
Don't use .html() because that's basically eval on steroids - capable of causing the interpretation of a good variety of languages.
Text is always interpreted as text though:
$('#messages').append($("<div>", {
text: data.message
}));
这篇关于安全Node.js聊天(避免XSS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
