最佳实践:合法的跨站点脚本 [英] Best Practice: Legitimate Cross-Site Scripting
问题描述
虽然跨网站脚本通常被认为是否定的,但我遇到了一些必要的情况。
While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary.
我最近在一个非常有限的范围内工作限制内容管理系统。我需要在页面中包含数据库代码,但托管服务器没有任何可用的可用内容。我在自己的服务器上设置了几个简单的脚本,最初认为我可以使用AJAX将脚本的内容直接导入到CMS的模板中(从而保留动态图像,菜单项,CSS等)。我错了。
I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple bare-bones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). I was wrong.
由于 XMLHttpRequest 对象的限制,无法从其他域获取内容。所以我想 iFrame - 即使我不是框架的粉丝,我认为我可以创建一个与内容的宽度和高度相匹配的框架,这样它就会显示为原生的。再次,我被跨站脚本保护阻止了。虽然我确实可以将远程文件加载到 iFrame 中,但我无法在主页或加载页面内执行JavaScript来修改其大小。
Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. So I thought iFrame - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content so that it would appear native. Again, I was blocked by cross-site scripting "protections." While I could indeed load a remote file into the iFrame, I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page.
在这种特殊情况下,我无法将子域指向我的服务器。 我也无法在CMS服务器上创建可以代理我服务器内容的脚本,所以我最后想的是使用远程JavaScript。
In this particular scenario, I wasn't able to point a subdomain to my server. I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript.
远程JavaScript工作。当用户禁用JavaScript时,它会中断,这是一个缺点;但它的确有效。我使用远程JavaScript时遇到的问题是我必须使用JS函数 document.write()来输出任何内容。任何不是JS的输出都会导致脚本错误。除了为每一行使用 document.write()之外,还必须确保内容被转义 - 否则最终会出现更多脚本错误。
A remote JavaScript works. It breaks when the user has JavaScript disabled, which is a downside; but it works. The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. Any output that isn't JS causes script errors. In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors.
我的解决方案如下:
我的脚本收到一个GET参数(page),然后查找文件( {$ page} .php ),并将内容读入变量。但是,我必须使用笨拙的缓冲技术才能实际执行包含的脚本(对于像数据库交互这样的事情),然后删除所有换行符的最终内容( \ n )然后转义所有必需的字符。最终结果是我的原始脚本(输出JavaScript)访问我服务器上看似标准的脚本,并将其标准输出转换为JavaScript以便在CMS模板中显示。
My script received a GET parameter ("page") and then looked for the file ({$page}.php), and read the contents into a variable. However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters (\n) followed by escaping all required characters. The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template.
虽然这个解决方案有效,但似乎可能有更好的方法来完成同样的事情。使跨站点脚本专门用于包含来自完全不同的域的内容的最佳方法是什么?
While this solution works, it seems like there may be a better way to accomplish the same thing. What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain?
推荐答案
你有三个选择:
- 创建服务器端代理脚本。
-
创建远程脚本以读入远程动态HTML。使用像 jQuery 这样的库来简化这一过程。您可以使用加载功能在需要时注入HTML。 编辑我最初的意思是#2使用 JSONP ,这要求服务器端脚本识别callback =? param。
- Create a server side proxy script.
Create a remote script to read in remote dynamic HTML. Use a library like jQuery to make this easier. You can use the load function to inject HTML where needed. EDIT What I originally meant for example # 2 was utilizing JSONP, which requires the server side script to recognize the "callback=?" param.
使用客户端Flash代理并设置 crossdomain.xml 文件。
这篇关于最佳实践:合法的跨站点脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
