eval和innerHTML for clientside javascript的安全性比较？ [英] Security comparison of eval and innerHTML for clientside javascript?

问题描述

我一直在做一些关于innerHTML的实验，试图弄清楚我需要在我正在处理的webapp上加强安全性，然后我在 mozilla文档，我没有想过。

  var name =< img src = x onerror = alert（1）>; 
 element.innerHTML = name; //立即运行代码。 
  

它让我想到了。）如果我应该使用innerHTML和b。）if这不是问题，为什么我一直在避免其他代码插入方法，特别是eval。

我们假设我在浏览器上运行javascript clientside，并且我采取必要的预防措施以避免在易于访问的功能中暴露任何敏感信息，并且我已经到了一些任意指定的地方，我已经决定innerHTML不存在安全风险，并且我已经优化了我的代码，直到我不一定会担心一个非常小的性能打击...

我是否使用eval创建任何其他问题？除了纯代码注入之外，还有其他的安全问题吗？ b
$ b 或者，innerHTML是我应该表现出相同数量的谨慎的东西吗？是否同样危险？

解决方案

tl; dr;

是，你的假设是正确的。

设置 innerHTML 容易受到XSS攻击，如果你添加了不可信代码。

（如果您要添加您的代码，那不是什么问题）

考虑使用 textContent code> ，如果你想添加用户添加的文本，它会转义它。

问题是什么

innerHTML 设置DOM节点的HTML内容。当您将DOM节点的内容设置为任意字符串时，如果您接受用户输入，则很容易受到XSS的影响。

例如，如果将<$>设置为<$基于用户从 GET 参数输入的节点的c $ c> innerHTML 。 用户A可以向用户B发送页面的一个版本，其中HTML表示窃取用户的数据并通过AJAX发送给我。

请参阅< a href =https://stackoverflow.com/questions/2905886/what-makes-an-input-vulnerable-to-xss>这个问题在这里获取更多信息。

我能做些什么来缓解它？

如果您设置节点的HTML，您可能需要考虑的是：

• 使用模板引擎，如 Mustache < a>具有逃避能力。 （它会默认转义HTML）


• 使用 textContent 手动设置节点文本


• 不接受用户对文本字段的任意输入，自己清理数据。 /stackoverflow.com/questions/3638619/prevent-xss-attacks-site-wide\">此问题有关防止XSS的更多常规方法。
  
  
  

  代码注射是问题。你不想在接收端。

  
  
  

  房间里的大象

  
  
  

  这不是唯一的问题是 innerHTML 和 eval 。当您更改DOM节点的 innerHTML 时，您将销毁其内容节点并创建新节点。当你调用 eval 时，你正在调用编译器。

  
  
  

  尽管这里的主要问题显然没有解决，值得信赖的代码，你说性能不是问题，我仍然觉得我必须提到他们的替代方案非常慢。

  
  

  I've been doing some experimenting with innerHTML to try and figure out where I need to tighten up security on a webapp I'm working on, and I ran into an interesting injection method on the mozilla docs that I hadn't thought about.

  var name = "<img src=x onerror=alert(1)>";
  element.innerHTML = name; // Instantly runs code.
  

  It made me wonder a.) if I should be using innerHTML at all, and b.) if it's not a concern, why I've been avoiding other code insertion methods, particularly eval.

  Let's assume I'm running javascript clientside on the browser, and I'm taking necessary precautions to avoid exposing any sensitive information in easily accessible functions, and I've gotten to some arbitrarily designated point where I've decided innerHTML is not a security risk, and I've optimized my code to the point where I'm not necessarily worried about a very minor performance hit...

  Am I creating any additional problems by using eval? Are there other security concerns other than pure code injection?

  Or alternatively, is innerHTML something that I should show the same amount of care with? Is it similarly dangerous?

  解决方案

  tl;dr;

  Yes, you are correct in your assumption.

  Setting innerHTML is susceptible to XSS attacks if you're adding untrusted code.

  (If you're adding your code though, that's less of a problem)

  Consider using textContent if you want to add text that users added, it'll escape it.

  What the problem is

  innerHTML sets the HTML content of a DOM node. When you set the content of a DOM node to an arbitrary string, you're vulnerable to XSS if you accept user input.

  For example, if you set the innerHTML of a node based on the input of a user from a GET parameter. "User A" can send "User B" a version of your page with the HTML saying "steal the user's data and send it to me via AJAX".

  See this question here for more information.

  What can I do to mitigate it?

  What you might want to consider if you're setting the HTML of nodes is:

  • Using a templating engine like Mustache which has escaping capabilities. (It'll escape HTML by default)
  • Using textContent to set the text of nodes manually
  • Not accepting arbitrary input from users into text fields, sanitizing the data yourself.

  See this question on more general approaches to prevent XSS.

  Code injection is a problem. You don't want to be on the receiving end.

  The Elephant in the room

  That's not the only problem with innerHTML and eval. When you're changing the innerHTML of a DOM node, you're destroying its content nodes and creating new ones instead. When you're calling eval you're invoking the compiler.

  While the main issue here is clearly un-trusted code and you said performance is less of an issue, I still feel that I must mention that the two are extremely slow to their alternatives.

  这篇关于eval和innerHTML for clientside javascript的安全性比较？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！