允许在 Python 中使用 Markdown,同时防止 XSS 攻击的最佳实践? [英] Best practice for allowing Markdown in Python, while preventing XSS attacks?
问题描述
我需要让用户将Markdown内容输入到我的具有Python后端的Web应用程序中.我不想不必要地限制它们的条目(例如,不允许 any HTML,这与Markdown的精神和规格背道而驰),但显然我需要防止跨站点脚本(XSS)攻击
I need to let users enter Markdown content to my web app, which has a Python back end. I don’t want to needlessly restrict their entries (e.g. by not allowing any HTML, which goes against the spirit and spec of Markdown), but obviously I need to prevent cross-site scripting (XSS) attacks.
我不是第一个遇到此问题的人,但是没有看到带有所有关键字"python","Markdown"和"XSS"的任何SO问题,所以去了.
I can’t be the first one with this problem, but didn’t see any SO questions with all the keywords "python," "Markdown," and "XSS", so here goes.
使用Python库处理Markdown并防止XSS攻击的最佳实践方法是什么?(支持 PHP Markdown Extra 语法的加分点.)
What’s a best-practice way to process Markdown and prevent XSS attacks using Python libraries? (Bonus points for supporting PHP Markdown Extra syntax.)
推荐答案
我无法确定最佳实践",但是通常在接受Markdown输入时您有三种选择:
I was unable to determine "best practice," but generally you have three choices when accepting Markdown input:
-
在Markdown内容中允许HTML(这是Markdown最初/官方的工作方式,但是如果天真地对待,则可能会引发XSS攻击).
Allow HTML within Markdown content (this is how Markdown originally/officially works, but if treated naïvely, this can invite XSS attacks).
只需将任何HTML视为纯文本,就可以让Markdown处理器逃避用户的输入.因此,输入中的< small>…</small> 不会创建小文本,而是文字文本"< small>…</small> ".
Just treat any HTML as plain text, essentially letting your Markdown processor escape the user’s input. Thus <small>…</small> in input will not create small text but rather the literal text "<small>…</small>".
丢弃Markdown中的所有HTML标签.这对用户是相当敌对的,并且可能取决于实现方式而使诸如< 3 之类的文本阻塞.这是在堆栈溢出中采用的方法.
Throw out all HTML tags within Markdown. This is pretty user-hostile and may choke on text like <3 depending on implementation. This is the approach taken here on Stack Overflow.
我的问题具体涉及案例#1.
My question regards case #1, specifically.
鉴于,最适合我的方式是通过以下方式发送用户输入
Given that, what worked well for me is sending user input through
- Markdown for Python,可选 html5lib 的消毒剂.
我对此组合进行了一系列XSS攻击尝试,但均失败了(欢呼!);但是使用像< strong> 这样的良性标签就可以正常工作.
I threw a bunch of XSS attack attempts at this combination, and all failed (hurray!); but using benign tags like <strong> worked flawlessly.
通过这种方式,您实际上可以按照需要使用选项#1,但潜在的危险或格式错误的HTML代码段除外,这些代码段被视为选项#2.
This way, you are in effect going with option #1 (as desired) except for potentially dangerous or malformed HTML snippets, which are treated as in option #2.
(感谢Wong Y.H向我指向Markdown库的方向!)
这篇关于允许在 Python 中使用 Markdown,同时防止 XSS 攻击的最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
