消毒< script>元素含量 [英] Sanitize <script> element contents

问题描述

说我想通过动态的< script> 元素向客户端提供一些数据(在第一个响应中，没有延迟).

Say that I want to provide some data to my client (in the first response, with no latency) via a dynamic <script> element.

<script><%= payload %></script>

假设 payload 是字符串 var data ='</script>< script> alert("Muahahaha！")';</script> .结束标记(</script> )将允许用户向我的页面中注入任意脚本.如何正确清理脚本元素的内容?

Say that payload is the string var data = '</script><script>alert("Muahahaha!")';</script>. An end tag (</script>) will allow users to inject arbitrary scripts into my page. How do I properly sanitize the contents of my script element?

我认为我可以将</script> 更改为< \/script> 和<！-更改为< \！-.我还有其他需要逃脱的危险绳子吗?有没有更好的方法来提供这种冷启动"数据?

I figure I could change </script> to <\/script> and <!-- to <\!--. Are there any other dangerous strings I need to escape? Is there a better way to provide this "cold start" data?

推荐答案

假设您正在这样做:

有效负载设置为

var data = '[this is user controlled data]';

，其余代码(赋值，引号和分号)由您的应用程序生成，那么所需的编码就是十六进制实体编码.

and the rest of the code (assignment, quotes and semi-colon) is generated by your application, then the encoding you want is hex entity encoding.

请参见了解更多信息.这将转换

See the OWASP XSS Prevention Cheat Sheet, Rule #3 for more information. This will convert

</script><script>alert("Muahahaha!")

进入

var data = '\x3c\x2fscript\x3e\x3cscript\x3ealert\x28\x22Muahahaha\x21\x22\x29';

尝试一下，您将看到它的优点是无论用户设置的字符串包含什么字符，它都可以正确存储.此外，它还处理单引号和双引号编码.作为超级赠品，它还适合存储在HTML属性中:

Try this and you will see this has the advantage of storing the user set string exactly correct, no matter what characters it contains. Additionally it takes care of single and double quote encoding. As a super bonus, it is also suitable for storing in HTML attributes:

<a onclick="alert('[user data]');" />

通常必须再次对其进行HTML编码才能正确显示(因为HTML属性中的& 被解释为& ).但是，十六进制实体编码不包含任何具有特殊含义的HTML字符，因此以1的价格可以获得2.

which normally would have to be HTML encoded again for correct display (because & inside an HTML attribute is interpreted as &). However, hex entity encoding does not include any HTML characters with special meaning so you get two for the price of one.

OP表示将以以下形式生成服务器端代码

The OP indicated that the server-side code would be generated in the form

var data = <%= JSON.stringify(data) %>;

以上仍然适用.取决于JSON类，以便在将值插入JSON时正确地对其实体进行十六进制编码.在类外无法轻松完成此操作，因为您必须再次有效地解析JSON才能确定当前的语言上下文.我不建议采用在</script> 中转义正斜杠的简单选项，因为还有其他可以终止语法上下文的序列，例如CDATA结束标记.正确地进行转义，您的代码将成为未来的证明和安全性.

The above still applies. It is upto the JSON class to properly hex entity encode values as they're inserted into the JSON. This cannot easily be done outside of the class as you'd have to effectively parse the JSON again to determine the current language context. I wouldn't recommend going for the simple option of escaping the forward slash in the </script> because there are other sequences that can end the grammar context such as CDATA closing tags. Escape properly and your code will be future proof and secure.

这篇关于消毒< script>元素含量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！