如何安全地使用 fckEditor，没有跨站脚本的风险? [英] How do use fckEditor safely, without risk of cross site scripting?

问题描述

此链接描述了使用 fckEditor 对我的应用程序的利用:http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html

This link describes an exploit into my app using fckEditor: http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html

如何在仍然使用 fckEditor 的同时使我的应用程序安全?它是 fckEditor 配置吗?从 fckEditor 获取文本后，我应该在服务器端进行一些处理吗?

How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?

这是一个难题，因为 fckEditor 使用 html 标签进行格式化，所以当我显示文本时我不能只进行 HTML 编码.

It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.

推荐答案

清理 html 服务器端，别无选择.对于 PHP，它将是 HTML Purifier，对于 .NET 我不知道.清理 HTML 很棘手 - 仅去除脚本标签是不够的，您还必须注意 on* 事件处理程序，甚至更多，这要归功于 IE 的愚蠢行为.

Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.

此外，使用自定义 html 和 css 很容易劫持您网站的外观和布局 - 使用覆盖所有屏幕等的覆盖(绝对定位).为此做好准备.

Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.

这篇关于如何安全地使用 fckEditor，没有跨站脚本的风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！