回显POST HTML时避免XSS [英] Avoiding XSS when echoing POSTed HTML
问题描述
我有一个网页,需要执行以下操作:
- 使用JavaScript动态创建HTML片段
- dynamically create an HTML fragment using JavaScript
- open a new window
- display the HTML in the new window
我的第一种方法是使用
document.write
将HTML复制到窗口中。这在大多数情况下都适用,但当原始窗口设置 document.domain
时,它会导致Internet Explorer出现问题。加上 document.write
这些天往往会受到挫折。因此,我的第二种方法是将 HTML转换为隐藏表单,将表单的目标设置为新窗口,然后POST表单。这意味着我需要服务器上的脚本来响应表单,通过回显POST的内容。 但这是危险的,因为有人可以提出请求, code>< script> 标签。 如何避免潜在的XSS风险?我想我可以过滤掉< script>
之类的东西,虽然这看起来很笨拙。如果我在服务器上创建HTML,我可以对其进行加密,或添加一些只能在服务器上验证的令牌。但我正在客户端上创建它。
编辑:感谢您的过滤建议。我可能会选择走这条路,但我想知道:如果我不想对我创建的HTML有任何限制,该怎么办?有什么方法可以验证文档是由我的页面创建的吗?
编辑: >有什么方法可以验证文档是由我的页面创建的?
除非您创建另一个html服务器端副本并进行比较,否则不能。用户可以查看脚本中的任何内容,但对于非技术用户可能会遇到困难。任何客户端Javascript可以执行的操作,恶意用户都可以在Javascript控制台上执行操作。
即使您以某种方式确认请求来自您的脚本,恶意用户也可以使用Javascript控制台修改您的脚本,方法是插入会产生危险请求的代码行。所有GET和POST数据必须被视为恶意。
I have a web page which needs to do the following:
My first approach used document.write
to copy the HTML into the window. This works in most cases, but it causes problems with Internet Explorer when the original window has set document.domain
. Plus document.write
tends to be discouraged these days.
So my second approach was to put the HTML into a hidden form, set the form's target to the new window, and POST the form. This means I need a script on the server to respond to the form, by echoing the POSTed content.
But this is dangerous, since someone could make a request that includes <script>
tags in the content. How can I avoid the potential XSS risk? I guess I could filter out things like <script>
, although that seems clumsy. If I were creating the HTML on the server, I could encrypt it, or add some token that can only be verified on the server. But I'm creating it on the client.
EDIT: Thanks for the filtering suggestions so far. I may choose to go this route, but I'm wondering: what if I don't want any restrictions on the HTML I create? Is there any way I can validate that the document was created by my page?
Try HTML Purifier.
Edit:
"Is there any way I can validate that the document was created by my page?"
Not unless you create another copy of the html server-side and compare. Anything in your script can be viewed by the user, although you can make it difficult for non-technical users. Anything that client-side Javascript can do, a malicious user can do on a Javascript console.
Even if you somehow verified that the request came from your script, a malicious user can modify your script using a Javascript console by inserting lines of code that produce a dangerous request. All GET and POST data must be treated as malicious.
这篇关于回显POST HTML时避免XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!