如果“数据目标"是否存在,Bootstrap 3.3.7是否安全可靠?属性未使用? [英] Is Bootstrap 3.3.7 safe and secured if "data-target" attribute is unused?
问题描述
关于Bootstrap 3.3,存在一个安全漏洞. 7它说:此软件包的受影响版本很容易通过data-target属性受到跨站点脚本(XSS)攻击."我想知道如果不使用数据目标"属性,v3.3.7是否可以安全使用.
仅当data-target
值依赖于外部(直接或间接)注入的数据时,才会发生所谓的"漏洞" AND会显示在页面上,攻击者以外的其他用户也会受到影响.
换句话说,如果您的所有data-target
属性均由硬编码的html文本组成,则这不是问题.如果攻击者只能看到此页面(自我攻击...),通常也不是问题.
例如,您还可以说jQuery .html()
是一个漏洞,这种情况更为明显,但是如果您是完全Web初学者或只是不专心,则仍然容易受到XSS的攻击.</p>
因此,通常,避免将未经转义的用户数据注入第三方:弹出窗口,工具提示等在幕后直接操作DOM的任何事物.
我个人认为这不是一个很大的漏洞,但是如果像 bootstrap 这样的著名框架处理这种情况,或者明确地将该方法命名为警告开发人员是不安全的,那就更好了.
Chrome审核认为存在引导程序3.3.xa漏洞(通过synk ):
包括具有已知安全漏洞的前端JavaScript库
There is a security vulnerability regarding Bootstrap 3.3.7. It says that "Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute." I am wondering if v3.3.7 is safe to use if the "data-target" attribute is not used.
The so called 'vulnerability' only occurs if the data-target
value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.
In other words this is NOT an issue if all your data-target
attributes are made of hardcoded html text. It is also generally not an issue if this page is only seen by the attacker (self-hack ...).
For example you could also say jQuery .html()
is a vulnerability, which is a more obvious case, but still vulnerable to XSS if you are a total web beginner or just did not pay attention.
So in general, avoid injecting unescaped user data in third-party: popups, tooltips, ... or anything where DOM is directly manipulated behind the scenes.
I personally do not consider this a big vulnerability, but it is nicer if a famous framework like bootstrap handles this case or explicitely names the method as unsafe to warn developers.
Chrome audit considers bootstrap 3.3.x a vulnerability (via synk):
Includes front-end JavaScript libraries with known security vulnerabilities
- Is Bootstrap 3.3.7 safe and secured if "data-target" attribute is unused?
- https://news.ycombinator.com/item?id=14989841
这篇关于如果“数据目标"是否存在,Bootstrap 3.3.7是否安全可靠?属性未使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!