HTML编码会阻止XSS安全漏洞吗？ [英] Does HTML encoding prevent XSS security exploits?

问题描述

只需转换以下内容（大5）：

By simply converting the following ("the big 5"):

& -> &
< -> &lt;
> -> &gt;
" -> &#034;
' -> &#039;

您将阻止XSS攻击吗？

Will you prevent XSS attacks?

我认为您也需要在字符级别上白名单，以防止某些攻击，但以下答案表示问题过于复杂。

I think you need to white list at a character level too, to prevent certain attacks, but the following answer states it overcomplicates matters.

编辑 页面详细信息它不会阻止更详细的注入，对于超出范围字符=问号，当使用单字节编码将字符串输出到Writer时，也不会阻止用户在显示页面上切换浏览器编码时重新解释字符。本质上，仅转义这些字符似乎是一种幼稚的方法。

EDIT This page details it does not prevent more elaborate injections, does not help with "out of range characters = question marks" when outputting Strings to Writers with single byte encodings, nor prevents character reinterpretation when user switches browser encoding over displayed page. In essence just escaping these characters seems to be quite a naive approach.

推荐答案

您将阻止XSS攻击吗？

Will you prevent XSS attacks?

如果您进行此转义在正确的时间（*），然后是的，您将阻止HTML注入。这是XSS攻击的最常见形式。这不仅仅是安全问题，您仍然需要进行转义，以便包含这些字符的字符串将始终正确显示。安全问题是正确性问题的一个子集。

If you do this escaping at the right time(*) then yes, you will prevent HTML-injection. This is the most common form of XSS attack. It is not just a matter of security, you need to do the escapes anyway so that strings with those characters in will display correctly anyway. The issue of security is a subset of the issue of correctness.

我认为您也需要在字符级白名单，以防止某些攻击

I think you need to white list at a character level too, to prevent certain attacks

否。 HTML转义会将这些攻击中的每一种都呈现为页面上的非活动纯文本，这正是您想要的。该页面上的攻击范围显示了进行HTML注入的不同方法，这些方法可以绕过一些服务器部署的 XSS过滤器这种愚蠢的 XSS过滤器，以尝试防止常见的HTML注入攻击。这说明 XSS过滤器本质上是泄漏性的且无效。

No. HTML-escaping will render every one of those attacks as inactive plain text on the page, which is what you want. The range of attacks on that page is demonstrating different ways to do HTML-injection, which can get around the stupider "XSS filters" that some servers deploy to try to prevent common HTML-injection attacks. This demonstrates that "XSS filters" are inherently leaky and ineffective.

还有其他形式的XSS攻击可能会或可能不会影响您，例如，针对用户-提交的URI（ javascript：等），将代码注入到回显到JavaScript块（需要JSON样式转义的地方）或样式表或HTTP响应标头中的数据中，将文本放到另一个上下文中时始终需要适当的编码形式；如果看到带有未转义插值的内容（例如PHP的 string $ var string

There are other forms of XSS attack that might or might not affect you, for example bad schemes on user-submitted URIs (javascript: et al), injection of code into data echoed into a JavaScript block (where you need JSON-style escaping) or into stylesheets or HTTP response headers (again, you always need the appropriate form of encoding when you drop text into another context; you should always be suspicious if you see anything with unescaped interpolation like PHP's "string $var string").

然后是文件上传处理，Flash原始策略，旧版浏览器中的UTF-8超长序列以及应用程序级内容生成问题；所有这些都可能导致跨站点脚本编写。但是HTML注入是每个Web应用程序都将面临的主要问题，并且当今大多数PHP应用程序都会出错。

Then there's file upload handling, Flash origin policy, UTF-8 overlong sequences in legacy browsers, and application-level content generation issues; all of these can potentially lead to cross-site scripting. But HTML injection is the main one that every web application will face, and most PHP applications get wrong today.

（*：在将文本内容插入HTML时，不要在开始时在 $ _ POST / $ _ GET 中使用HTML转义表单提交数据脚本；这是一个错误的常见错误。）

(*: which is when inserting text content into HTML, and at no other time. Do not HTML-escape form submission data in $_POST/$_GET at the start of your script; this is a common wrong-headed mistake.)

这篇关于HTML编码会阻止XSS安全漏洞吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！