IsValid() 是否可以防止 XSS? [英] Does IsValid() protect from XSS?

问题描述

是否使用 IsValid() 来验证电子邮件地址或 URL 格式可以防止 XSS?指定其他格式时是否否定XSS?

Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?

推荐答案

有效的 URL 仍然可以包含攻击向量:

A valid URL can still contain an attack vector:

<!--- No on CF9 --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput>

<!--- Yes on CF9: hex encoded ';DROP TABLE Products' --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>

当然，以上不是 XSS 攻击，但可以将其更改为更新具有攻击的列.

Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.

电子邮件验证似乎可以防止 我能找到的攻击.

Email validation appears to prevent the attacks I could find.

概括地说，isValid() 有助于在数据类型为有限(整数、SSN、UUID 等)时防止 XSS 攻击.但是，OWASP 的 AntiSamy 是用于此目的的有用工具，它遍历 DOM 并删除任何未列入白名单的内容.

As a generalization, isValid() helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid() is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.

捕获 XSS(跨站脚本)攻击的最佳正则表达式(在 Java 中)? 提供了很多关于 XSS 预防的一般主题的有用信息.

Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.

最后再强调一点，使用:

And finally to belabor the point, use:

<cfqueryparam cfsqltype="..." value="...">

保护查询.

更新

最后但同样重要的是，OWASP XSS 备忘单:用于处理输入以防止 XSS 的最佳启发式方法.

Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.

这篇关于IsValid() 是否可以防止 XSS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！