网页中与脚本相关的HTML标签的中和不正确(基本XSS)? [英] Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)?
问题描述
您好,我们最近在应用程序上执行了Veracode静态扫描。我们的大多数应用程序都是动态的,因为我们根据用户选择将html /脚本插入到页面中。
当我们运行veracode静态扫描时,我们收到以下代码片段的以下缺陷。
$ currentDropDown.parents('。selectListRegion')。siblings(。pmDifContent)。html(result);
它抱怨.html(结果)< br $>
攻击向量:jQueryResult.html
描述:这个对jQueryResult.html()的调用包含一个十字站点脚本(XSS)漏洞。应用程序使用用户提供的输入填充HTTP响应,允许攻击者嵌入恶意内容,例如Javascript代码,这些内容将在受害者的浏览器上下文中执行。 XSS漏洞通常被利用来窃取或操纵cookie,修改内容的呈现以及危害机密信息,并定期发现新的攻击媒介。
MVC返回局部视图的动作方法。
Hello , We recently performed a Veracode static scan on the application. Most of our application behaves dynamic as we insert html/script to the page based on the user selection.
When we ran the veracode static scan we received following flaw for the following code snippet.
$currentDropDown.parents('.selectListRegion').siblings(".pmDifContent").html(result);
it is complaining about the .html(result)
Attack Vector: jQueryResult.html
Description: This call to jQueryResult.html() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with user-supplied input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
MVC Action method that returns the partial view.
public ActionResult LoadActvity()
{
ViewData["CurrentReasonModelId"] = ViewData["CurrentSubReasonModelId"] = 1;
var reasonData = GetReasonModel();
ReasonViewBuilder.PopulateDataFromSession(null, reasonData.ReasonModels[0].SubReasonModels[0]);
return PartialView(Constants.Constants.NewSubReasonModelGridPartailViewPath,
new ReasonViewModel(reasonData));
}
调用上述操作方法并接收结果的JQuery代码(HTML /脚本)
$ .get(reasonControllerPath +加载,功能(结果){
$ currentDropDown.parents('。selectListRegion')。兄弟姐妹
(。KidContent)。html(result);
//相应地修改控件属性。
modifyControlAttributesForActivityGrid(currentPanelIndex,$ currentDropDown.parents('。selectListRegion')。siblings(。premiumDiffChildContent));
})。always(function(){
$ .unblockUI();
});
传递给视图的结果:
JQuery code that invokes the above action method and receives result (HTML/Script)
$.get(reasonControllerPath + "Load", function (result) {
$currentDropDown.parents('.selectListRegion').siblings
(".ChildContent").html(result);
// modify control attributes accordingly.
modifyControlAttributesForActivityGrid(currentPanelIndex, $currentDropDown.parents('.selectListRegion').siblings(".premiumDiffChildContent"));
}).always(function () {
$.unblockUI();
});
Result that is being passed to the view :
<script type="text/javascript">
$(document).ready(function () {
$(".aList").tablesorter({ debug: true, selectorHeaders: "thead th" });
$(".activitiesCollectionPanel .thInner").each(function () {
if ($(this).attr("id") != "firstHeader")
$(this).addClass("header");
});
$(".activitiesCollectionPanel .thInner").on("click", function () {
setTimeout(function () {
$(".activitiesCollectionPanel .thInner").each(function () {
if ($(this).attr("id") != "firstHeader")
$(this).removeClass().addClass("thInner " + $(this).parent().attr("class"));
});
}, 10);
})
}
);
</script>
<div class="activitiesCollectionPanel">
<div class="displayText">
<label for="ReasonData_ReasonModels_0__SubReasonModels_0__Activities">Please select activity</label>
</div>
<div style="width: 665px;">
<div> </div>
<div> div>
<table class="activitiesList">
<thead>
</thead>
<tbody>
;/tbody>
</table>
</div>
</div>
</div>
如上所示,我们正在传递HTML /脚本作为结果。
你知道如何在上述场景中避免XSS漏洞吗?
As you could see above, we are passing the HTML/Script as a result.
Do you know how I can avoid the XSS flaw in the above scenario?
推荐答案
currentDropDown.parents('。selectListRegion')。siblings(。pmDifContent)。html(result);
它抱怨.html(结果)
攻击向量:jQ ueryResult.html
描述:这个对jQueryResult.html()的调用包含一个跨站点脚本(XSS)缺陷。应用程序使用用户提供的输入填充HTTP响应,允许攻击者嵌入恶意内容,例如Javascript代码,这些内容将在受害者的浏览器上下文中执行。 XSS漏洞通常被利用来窃取或操纵cookie,修改内容的呈现以及危害机密信息,并定期发现新的攻击媒介。
MVC返回局部视图的动作方法。
currentDropDown.parents('.selectListRegion').siblings(".pmDifContent").html(result);
it is complaining about the .html(result)
Attack Vector: jQueryResult.html
Description: This call to jQueryResult.html() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with user-supplied input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
MVC Action method that returns the partial view.
public ActionResult LoadActvity()
{
ViewData["CurrentReasonModelId"] = ViewData["CurrentSubReasonModelId"] = 1;
var reasonData = GetReasonModel();
ReasonViewBuilder.PopulateDataFromSession(null, reasonData.ReasonModels[0].SubReasonModels[0]);
return PartialView(Constants.Constants.NewSubReasonModelGridPartailViewPath,
new ReasonViewModel(reasonData));
}
调用上述操作方法并接收结果的JQuery代码(HTML /脚本)
JQuery code that invokes the above action method and receives result (HTML/Script)
.get(reasonControllerPath +加载,功能(结果){
.get(reasonControllerPath + "Load", function (result) {
currentDropDown.parents('。selectListRegion')。兄弟姐妹
(。KidContent)。html(结果) ;
//相应地修改控件属性。
modifyControlAttributesForActivityGrid(currentPanelIndex,
currentDropDown.parents('.selectListRegion').siblings
(".ChildContent").html(result);
// modify control attributes accordingly.
modifyControlAttributesForActivityGrid(currentPanelIndex,
这篇关于网页中与脚本相关的HTML标签的中和不正确(基本XSS)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
