此代码是否容易受到XSS攻击? [英] Is this code vulnerable to XSS attacks?
问题描述
这个问题确实产生于:
为什么浏览器会修改包含& #x的HTML元素的ID?
The question did arise from this one:
Why does the browser modify the ID of an HTML element that contains &#x?
给出以下网页:
<html>
<head>
<script type="text/javascript">
// --------------------------------------------------------
// could calling this method produce an XSS attack?
// --------------------------------------------------------
function decodeEntity(text){
text = text.replace(/<(.*?)>/g,''); // strip out all HTML tags, to prevent possible XSS
var div = document.createElement('div');
div.innerHTML = text;
return div.textContent?div.textContent:div.innerText;
}
function echoValue(){
var e = document.getElementById(decodeEntity("/path/$whatever"));
if(e) {
alert(e.innerHTML);
}
else {
alert("not found\n");
}
}
</script>
</head>
<body>
<p id="/path/$whatever">The Value</p>
<button onclick="echoValue()">Tell me</button>
</body>
</html>
<$ c $的 id c>< p> 元素包含为了防止XSS攻击而被转义的字符。 HTML部分和JS部分由服务器生成,服务器在两个部分上插入相同的转义值(可能来自不安全的源)。
The id of the <p> element contains characters that were escaped in order to prevent XSS attacks. The HTML part and JS part are generated by the server and the server inserts the same escaped value (which could origin from an unsecure source) on both parts.
服务器以& #x 格式转义以下字符范围:
The server escapes the following character ranges in the &#x format:
- 0x00– 0x2D
- 0x3A– 0x40
- 0x5B– 0x5E
- 0x60
- 0x7B– 0xFF
- 0x0100– 0xFFFF
- 0x00 – 0x2D
- 0x3A – 0x40
- 0x5B – 0x5E
- 0x60
- 0x7B – 0xFF
- 0x0100 – 0xFFFF
换句话说:不转义的唯一字符是:
In other words: the only characters that are not escaped are:
- 0x2E– 0x39(
。,/,0123456789) - 0x41– 0x5A(
A–Z) - 0x5F(
_) - 0x61– 0x7A(
a–z)
- 0x2E – 0x39 (
.,/,0123456789) - 0x41 – 0x5A (
A–Z) - 0x5F (
_) - 0x61 – 0x7A (
a–z)
现在,我必须通过javascript访问< p> 。引用问题中的函数 echoValue()总是失败,因为浏览器会将&#x24; 转换为<$ c HTML部分中的$ c> $ ,但在JS部分中将其保留为&#x24; 。
Now, I have to get access to that <p> through javascript. The function echoValue() in the referenced question always failed because the browser converts $ to $ in the HTML part but leaves it as $ in the JS part.
So, Gareth came up with an answer that is simple and works.
我担心的是XSS攻击的可能性被消除了当使用引用答案中提供的 decodeEntity()函数时,将再次出现转义动态字符串。
My concern is that the possibility of an XSS attack that was eliminated by escaping the dynamic strings will arise again when using the decodeEntity() function provided in the referenced answer.
任何人都可以指出是否存在安全问题(哪个?)(为什么不?)?
Could anybody point out whether there might be security concerns (which?) or not (why not?)?
推荐答案
我首先建议您查看以下链接,在Javascript中讨论JavaScript和XSS中的HTML卫生:
I first suggest you have a look at the following links discussing HTML sanitation in JavaScript and XSS in Javascript:
- Sanitize/Rewrite HTML on the Client Side
- How to prevent Javascript injection attacks within user-generated HTML
安全课程编号1:
不要重新发明轮子。如果以前做过某些事情,他们可能比你的临时解决方案做得更好。
Security Lesson no 1: Don't reinvent the wheel. If something has been done before, chances are they did a better job than your ad hoc solution.
尽管我无法从头脑中找到方法利用你的简单正则表达式我不相信它真的捕获所有情况。第一个链接提供了一个更加详细的解决方案,并经过全面审查和测试。
Even though I can't from the top of my mind find a way to exploit your simple regex I am not conviced it really captures all cases. The first link provides a solution that is more elaborated and has been reviewed and tested thoroughly.
我还建议您查看 XSS Filter Evasion Cheat Sheet 。告诉你真正的好人们会想出什么样的讨厌的东西。
I also suggest you look at XSS Filter Evasion Cheat Sheet. Shows you real good what kind of nasty things people might come up with.
这篇关于此代码是否容易受到XSS攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
