防止xss,但允许所有的html标签 [英] prevent xss but allow all html tags
本文介绍了防止xss,但允许所有的html标签的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
因为我主要是谁来管理它...我想确保当我输入
< ul>
< li>测试< / li>
< li>测试< / li>
< / ul>
会显示无序列表,但也会阻止 XSS
标签以防万一......
我怎么能这样做?
可以创建一个解决方案函数并替换 ul
, ol
, img
等等...
解决方案
在处理XSS的同时允许HTML的标准方式是:
- 通过(实际)HTML解析器运行HTML
- 删除任何不在白名单中的元素或属性以第三方白名单为出发点,研究添加的任何其他元素/属性,以确保他们没有手段注入您不知道的JS。)
- 理智检查任何URI
- 从DOM生成干净的HTML
具体取决于您正在使用的语言。
I am building a blog and currently im finishing the admin panel.
Since i will be mostly who will be managing it... i want to make sure that when i type
<ul>
<li>test</li>
<li>test</li>
</ul>
will show me the unordered list but also prevent XSS
tags just in case...
how could i do that?
could a solution be creating functions and replace the tags of ul
, ol
, img
etc...?
解决方案
The standard way to deal with XSS while allowing HTML is to:
- run the HTML through a (real) HTML parser
- delete any element or attribute that isn't on a whitelist (use a third party whitelist as a starting point, do research on any additional elements/attributes you add to make sure they don't have means to inject JS that you don't know about).
- sanity check any URIs
- generate clean HTML from the DOM
The specifics will depend on the language you are using.
这篇关于防止xss,但允许所有的html标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文