在Node.js/服务器端javascript中阻止XSS [英] Preventing XSS in Node.js / server side javascript

问题描述

您知道如何防止对node.js应用程序进行XSS攻击吗?那里有任何可以处理移除href，onclick属性等中的javascript的库.从发布的数据中获取?

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

我不想为所有这些写正则表达式:)

I don't want to have to write a regex for all that :)

有什么建议吗?

推荐答案

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

更新:此外，请记住，Caja消毒器显然已经过全面，专业的安全审查，而正则表达式以易于破坏安全性的方式而出名，因此广为人知.

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

更新2017年9月24日::现在也有 DOMPurify .我尚未使用它，但看起来它达到或超过了我要寻找的每一个要点:

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

• 尽可能依靠运行时环境提供的功能. (对于性能和最大化安全性而言，尽可能多地依赖经过充分测试的成熟实现，这很重要.)

• Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

• 对于Node.JS依赖于浏览器的DOM或 jsdom .

默认配置旨在尽可能减少剥离，同时仍保证删除javascript.

Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

• 支持HTML，MathML和SVG
• 在IE8和IE9下回到Microsoft专有的，不可配置的toStaticHTML.

高度可配置，使其适用于对可以包含任意HTML(例如WYSIWYG或Markdown注释字段)的输入施加限制. (实际上，这是这里的顶端)

Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

• 支持常用的标记/属性白名单/黑名单和URL正则表达式白名单
• 具有特殊的选项，可以对某些常见类型的HTML模板元字符进行进一步的清理.

他们对兼容性和可靠性很认真

They're serious about compatibility and reliability

• 在16种不同的浏览器以及Node.JS的三个不同主要版本上运行的自动化测试.
• 为确保开发人员和CI主机都在同一页面上，将发布锁定文件.

这篇关于在Node.js/服务器端javascript中阻止XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！