XSS预防。处理<脚本就够了？ [英] XSS prevention. Handling <script is enough?

问题描述

我想知道从文本输入字段检查和删除< script是否足以阻止javascript代码注入攻击？

I was wondering if checking for and removing "<script" from text entry fields would be enough to stop javascript code injection attacks?

推荐答案

不，阻止特定案件是不够的 - 迟早会有人提出一个你没有做过的假设案例想想。

No, blocking specific cases is not enough - sooner or later, someone will come up with a contrived case you didn't think of.

请参阅此 XSS攻击列表对于最常见的（其他，仍然更奇特，可能存在）。您需要将允许的语法列入白名单，而不是假设已知向量旁边的所有内容都应该正常。

See this list of XSS attacks for the most common ones (other, still more exotic, may exist). You need to whitelist the allowed syntax instead of assuming that everything beside the known vectors should be OK.

这篇关于XSS预防。处理<脚本就够了？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！