禁用特定页面上的Javascript执行(HTML / PHP) [英] Disable Javascript execution on specific pages (HTML/PHP)
问题描述
是否有任何HTTP标头禁用特定页面的Javascript?
我的网站提供用户生成的HTML内容(这就是为什么我不能只使用 htmlenitities )而且我想阻止编写脚本(JavaScript注入)。
is there any HTTP-header to disable Javascript for a specific page?
My website delivers user-generated HTML-content (that is why I cannot just use htmlenitities) and I would like to prevent scripting (JavaScript injections).
我已经在主域上使用HttpOnly-cookies进行身份验证,而用户内容仅显示在无法读取cookie的子域中。
问题是执行JavaScript的可能性太多 - 例如使用 onclick 等事件属性,Internet Explorer甚至在CSS中都有一个属性来允许JavaScript执行(表达式),这是我以前从未听说过的。我读过的另一个有趣的想法是关于抛出异常以阻止下面的代码。
另一个想法是定义一个包含所有允许标签的列表,另外还有一个包含每个允许属性名称的数组,但这是非常辛苦的工作,我想这不会涵盖所有可能的注入。
I already use HttpOnly-cookies being set for authentication on the main domain only, while user content is only displayed on subdomains where the cookie cannot be read.
The problem is that there are still too many possibilities to execute JavaScript - for example using event attributes like onclick and Internet Explorer has even a property in CSS to allow JavaScript executions (expression) which I had never heard of before. Another interesting idea I have read of, was about throwing an exception in order to block the code following.
One more idea would be defining a list containing all allowed tags and additionally an array with each allowed attribute name but this is very hard work and I guess this would not cover all possible injections.
我想我不是唯一有这个问题的人,所以有人知道可能包含所有可能有害的代码 - 至少在现代浏览器中是这样吗?
I guess I am not the only person having this problem, so does anybody know a possiblility covering all possible harmful code - at least in modern browsers?
一个简单的虚构标题,类似于 X-Scripting:disabled 会让生活变得如此简单!
A simple imaginary header similar to X-Scripting: disabled would make life so much easier!
推荐答案
是的,有一个名为内容安全策略,允许您控制JavaScript的来源,这可能使XSS无法实现。但目前只有Chrome和Firefox支持。
Yes, there is an experimental HTTP header called the Content Security Policy that allows you to control where JavaScript comes from, which can make XSS impossible. However it is currently only supported by Chrome and Firefox.
启用HttpOnly-cookies是一个好主意,但这样可以防止 ZERO 攻击。您仍然可以通过阅读CSRF令牌,并使用XHR执行请求来利用XSS。
It is a good idea to enable HttpOnly-cookies, however this will prevent exactly ZERO attacks. You can still exploit XSS by reading CSRF tokens, and carrying out requests with an XHR.
有许多方法可以获得XSS,还有一个漏洞扫描程序,如 ShieldSeal 将(几乎)找到所有这些。 Skipfish 是一个非常原始的开源漏洞扫描程序,但它是免费的。这就是大多数Web应用程序处理广泛漏洞的方法。 (我为SheildSeal工作,我帮助建立他们的漏洞扫描程序,我喜欢我的工作。)
There are many ways of obtaining XSS, and a Vulnerability Scanner like ShieldSeal will find (nearly) all of them. Skipfish is an open source vulnerability scanner that is very primitive, but its free. This is how most web applications deal with wide spread vulnerabilities. (I work for SheildSeal and I help build their vulnerability scanner and I love my job.)
当发现问题时,你应该使用 htmlspecialchars( $ var)或 htmlspecialchars($ var,ENT_QUOTES)来清理输入。 ENT_QUOTES可以防止攻击者引入onclick或其他JavaScript事件。
When an issue is found you should use htmlspecialchars($var) or htmlspecialchars($var,ENT_QUOTES) to sanitize input. ENT_QUOTES can prevent an attacker from introducing an onclick or other JavaScript event.
这篇关于禁用特定页面上的Javascript执行(HTML / PHP)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
