从网页保存HTML并防止XSS [英] Saving Html from Webpage and Prevent XSS

问题描述

我正在使用jquery从div内容内的网页读取HTML

I am reading Html from webpage inside div content using jquery

HTML代码

<div id="content">
Html Code
</div>

jQuery代码

 var htmlContent = $("#content").html();

，然后使用Ajax Request将其直接保存到数据库中.但是，如果有人将HTML或Javascript代码注入到页面的HTML内容中，那也会被保存到数据库中.

and saving it directly into database using Ajax Request. But if somebody inject the Html or Javascript code into the Html Content of the page, that is also getting saved into database.

下一次在页面上加载html时，它感染了XSS攻击.有什么办法可以防止XSS攻击..

When next time html is loaded on page it is infected with XSS attack. Is there any way I can prevent XSS attack..

推荐答案

理想情况下，您将具有要存储的html的数据模型，并将以json等格式存储该模型.该json可用于重建html.

ideally, you will have a datamodel of the html that is being stored, and you will store that model in a format such as json. that json can be used to re-construct the html.

在该json模型中，您将仅包含被认为安全的内容.

In that json model, you will only include content that is considered safe.

现在，如果您仍然需要将html代码存储在数据库中，然后再将其注入到页面中，那么唯一安全的选择是在服务器上搜索该html，将其内容与允许内容的白名单进行比较，并删除白名单中没有的内容.

Now, if you still need to store html code in the database and inject it back into a page later, then the only safe option you have is to scour that html on the server, compare its contents with a whitelist of allowed content, and delete whatever is not in your whitelist.

请参见这篇文章

这篇关于从网页保存HTML并防止XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！