使用户制作的HTML模板安全 [英] Making user-made HTML templates safe
问题描述
我希望允许用户创建小型模板,然后使用预定义的上下文在Django中渲染。我假设Django渲染是安全的(我问了一个关于这个问题 之前),但是仍然存在跨站点脚本的风险,并且我想阻止它。这些模板的主要要求之一是用户应该对页面的布局有一些控制,而不仅仅是语义。我看到了一些解决方案:
- 允许用户使用HTML,但在最后一步中手动过滤危险标签(像
< script>和< a onclick ='..'>我对此并不热情选项,因为我害怕我可能会忽略一些标签,即使如此,用户仍然可以在< divs>上使用绝对定位来在
- 使用产生安全HTML的标记语言。从我所看到的,在大多数标记语言中,我可以去掉任何html,并且然后处理结果,问题在于大多数标记语言并不是非常强大的布局明智的,据我所知,在Markdown中没有办法将元素居中,甚至在ReST中也没有办法,这里的pro是一些标记语言有很好的文档记录,用户可能已经知道如何使用它们。
- 提出一些专有标记。我在这里看到的缺点是p retty很多都是由专有这个词所暗示的。
因此,总结一下:是否有一些安全和简单的方法来纯化HTML&#x2014;防止xss&#x2014; 或是否有合理无处不在的标记语言,可以对布局和样式进行一些控制。
资源:
基于PHP的 HTML净化器 ,我自己还没有使用过它,但听说过很好的东西。它们承诺很多:
HTML Purifier是一种符合标准的
HTML过滤器库,用
PHP编写。 HTML Purifier不仅会删除所有恶意的
代码(更好的称为XSS),它还包含经过全面审计的
安全但宽松的白名单
,它还会确保您的文档是
标准只有在
全面了解W3C规范的情况下才能实现。
也许值得一试,即使它不是Python根据。更新:@Matchu发现了一个基于Python的替代品,它看起来不错。
然而,你会遇到很多非常困难的边缘情况,只是想想Flash嵌入。此外,位置:绝对的恶意使用非常难以追踪(
EBay上的相关资源:
-
HTML& JavaScript 的例子
网站干扰 但是,目前尚不清楚什么是被禁止的以及被过滤的内容
从我发现的看来,他们似乎并不发布他们的内部HTML黑名单,但是如果发现禁用的代码,则会输出错误消息。 (这可能是一个明智的举动,但对于这个问题的目的而言是不幸的。)
I want to allow users to create tiny templates that I then render in Django with a predefined context. I am assuming the Django rendering is safe (I asked a question about this before), but there is still the risk of cross-site-scripting, and I'd like to prevent this. One of the main requirements of these templates is that the user should have some control over the layout of the page, not just it's semantics. I see a couple of solutions:
- Allow the user to use HTML, but filter out dangerous tags manually in the final step (things like
<script>and<a onclick='..'>. I'm not so enthusiastic about this option, because I'm afraid I might overlook some tags. Even then, the user could still use absolute positioning on<divs>to mess up a thing or two on the rest of the page. - Use a markup language that produces safe HTML. From what I can see, in most markup languages, I could strip any html, and then process the result. The problem with this is that most markup languages are not very powerful layout-wise. As far as I could see there is no way to center elements in Markdown, not even in ReST. The pro here is that some markup languages are well-documented, and users might already know how to use them.
- Come up with some proprietary markup. The cons I see here are pretty much all implied by the word proprietary.
So, to summarize: Is there some safe and easy way to "purify" HTML — preventing xss — or is there a reasonably ubiquitous markup language that gives some control over layout and styling.
Resources:
There's PHP-Based HTML purifier, I have not used it myself yet but heard very good things about it. They promise a lot:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Maybe it's worth a try even though it's not Python based. Update: @Matchu has found a Python based alternative that looks good too.
You'll have a lot of very difficult edge cases, though, just think about Flash embeds. Plus, malicious uses of position: absolute are extremely difficult to track down (there's position: relative that could achieve the same effect, but also be a completely legitimate layout tool.) Maybe take a look at what - for example - EBay allow, and don't allow? If anybody has the necessary experience to know what's dangerous and what isn't from millions of examples, they do.
Related resources on EBay:
HTML & JavaScript with examples
Site Interference it's unclear, though, what is just forbidden, and what gets filtered
From what I found, they don't seem to publish their internal HTML blacklists, but output an error message if forbidden code is found. (Probably a wise move on their part, but unfortunate for the purposes of this question.)
这篇关于使用户制作的HTML模板安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
