回显POST HTML时避免XSS [英] Avoiding XSS when echoing POSTed HTML

问题描述

我有一个网页，需要执行以下操作：

• 使用JavaScript动态创建HTML片段


我的第一种方法是使用 document.write 将HTML复制到窗口中。这在大多数情况下都适用，但当原始窗口设置 document.domain 时，它会导致Internet Explorer出现问题。加上 document.write 这些天往往会受到挫折。
因此，我的第二种方法是将 HTML转换为隐藏表单，将表单的目标设置为新窗口，然后POST表单。这意味着我需要服务器上的脚本来响应表单，通过回显POST的内容。




但这是危险的，因为有人可以提出请求， code>< script> 标签。 如何避免潜在的XSS风险？我想我可以过滤掉< script> 之类的东西，虽然这看起来很笨拙。如果我在服务器上创建HTML，我可以对其进行加密，或添加一些只能在服务器上验证的令牌。但我正在客户端上创建它。





编辑：感谢您的过滤建议。我可能会选择走这条路，但我想知道：如果我不想对我创建的HTML有任何限制，该怎么办？有什么方法可以验证文档是由我的页面创建的吗？





编辑： >有什么方法可以验证文档是由我的页面创建的？

除非您创建另一个html服务器端副本并进行比较，否则不能。用户可以查看脚本中的任何内容，但对于非技术用户可能会遇到困难。任何客户端Javascript可以执行的操作，恶意用户都可以在Javascript控制台上执行操作。



即使您以某种方式确认请求来自您的脚本，恶意用户也可以使用Javascript控制台修改您的脚本，方法是插入会产生危险请求的代码行。所有GET和POST数据必须被视为恶意。




I have a web page which needs to do the following:

• dynamically create an HTML fragment using JavaScript
• open a new window
• display the HTML in the new window

My first approach used document.write to copy the HTML into the window. This works in most cases, but it causes problems with Internet Explorer when the original window has set document.domain. Plus document.write tends to be discouraged these days.

So my second approach was to put the HTML into a hidden form, set the form's target to the new window, and POST the form. This means I need a script on the server to respond to the form, by echoing the POSTed content.

But this is dangerous, since someone could make a request that includes <script> tags in the content. How can I avoid the potential XSS risk? I guess I could filter out things like <script>, although that seems clumsy. If I were creating the HTML on the server, I could encrypt it, or add some token that can only be verified on the server. But I'm creating it on the client.

EDIT: Thanks for the filtering suggestions so far. I may choose to go this route, but I'm wondering: what if I don't want any restrictions on the HTML I create? Is there any way I can validate that the document was created by my page?

解决方案

Try HTML Purifier.

Edit:

"Is there any way I can validate that the document was created by my page?"
Not unless you create another copy of the html server-side and compare. Anything in your script can be viewed by the user, although you can make it difficult for non-technical users. Anything that client-side Javascript can do, a malicious user can do on a Javascript console.

Even if you somehow verified that the request came from your script, a malicious user can modify your script using a Javascript console by inserting lines of code that produce a dangerous request. All GET and POST data must be treated as malicious.

这篇关于回显POST HTML时避免XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！