XSS过滤器删除所有脚本 [英] XSS filter to remove all scripts
问题描述
我正在为我的Web应用程序实现XSS过滤器,并且还使用ESAPI编码器来清理输入.
I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input.
我正在使用的模式如下所示,
The patterns I am using are as given below,
// Script fragments
Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
// src='...'
Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// lonely script tags
Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// eval(...)
Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// expression(...)
Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// javascript:...
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
// vbscript:...
Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
// onload(...)=...
Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
但是,仍然有一些脚本没有被特别过滤掉,这些脚本被附加到像
But, still a few script are not getting filtered specially the one which are appended to a parameter like
url?sourceId = abx; 警报('hello');
我该如何处理?
推荐答案
这不是正确的方法. 从数学上讲,不可能编写能够正确插入XSS的正则表达式.(正则表达式是常规",但HTML和Javascript都是上下文无关的语法.)
This isn't the right approach. It's mathematically impossible to write a regex capable of correctly punting XSS. (Regex is "regular" but HTML and Javascript are both context-free grammars.)
但是,您可以保证在切换上下文时(交出将要解释的数据),该上下文切换已正确转义了数据.因此,在将数据发送到浏览器时,如果将其作为HTML处理,则将其转为HTML;如果由javascript处理,则将其转为Javascript.
You can however guarantee that when you switch contexts, (hand off a piece of data that is going to be interpreted) that the data is correctly escaped for that context switch. So, when sending data to a browser, escape it for HTML if its being handled as HTML or as Javascript if its being handled by javascript.
如果您确实需要允许HTML/javascript进入您的应用程序,那么您将需要Web应用程序防火墙或类似HDIV的框架.
If you DO need to allow HTML/javascript into your application, then you'll want a web-application firewall or a framework like HDIV.
这篇关于XSS过滤器删除所有脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
