可能通过富文本编辑器发布图像容易受到XSS攻击？ [英] May posting of images through a rich text editor be vulnerable to XSS attacks?

问题描述

我使用的是富文本编辑器 - CKEditor允许用户输入格式化的HTML / CSS文本。

I'm using a rich text editor - CKEditor to allow users to input formatted text that renders HTML/CSS.

为了防止 XSS 攻击不受信任的用户，我使用 Jsoup 过滤/显示必要的Java库用户输入的标签和/或属性，例如像

To prevent XSS attacks by untrusted users, I'm using the Jsoup Java library which filters/whiltelists necessary tags and/or attributes of the user input something like, for example, an anchor tag like,

<a href='http://example.com/' onclick='executeMaliciousTask();'>Click Here</a>

变成

<a href="http://example.com/" rel="nofollow">Click Here</a>

Jsoup生成的链接似乎对XSS攻击是安全的。

The link generated by Jsoup seems to be safe against XSS attacks.

我需要允许用户通过编辑器输入图像。为了做到这一点，我正在使用以下方法。

I need to allow users to input images through the editor. For this to be so, I'm using using the following method of Jsoup.

org.jsoup.Jsoup.clean(editorContents, org.jsoup.safety.Whitelist.basicWithImages();

可能允许用户以这种方式张贴图像容易受到XSS攻击？

May allowing users to post images in this way be vulnerable to XSS attacks in any way?

推荐答案

风险不是在生成的干净HTML中，而是在提供图像的服务器中。 CSRFs，但可能还有其他问题（如恶意图片导致缓冲区溢出，或更改响应内容类型，并将浏览器转换为执行脚本或设置跟踪Cookie等）。

The risk is not in the clean HTML generated, but in the server that provides the image. My main concern would be CSRFs. But there could be other issues (like an malicious images causing a buffer overrun, or changing the response content-type and fooling the browser into executing script, or setting tracking cookies, etc).

我的建议是不允许远程托管图片。允许用户添加一个img，但获取图片，验证/规范化，并从您自己的主机中提供。

My suggestion would be not to allow images to be remotely hosted. Allow the user to include an img, but fetch the image, validate / normalize it, and serve it from your own host.

这篇关于可能通过富文本编辑器发布图像容易受到XSS攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！