我是否需要清理JSONP调用中的回调参数? [英] Do I need to sanitize the callback parameter from a JSONP call?

问题描述

我想通过JSONP提供Web服务，并且想知道是否需要清理callback参数中的值.

I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter.

我当前的服务器端脚本当前看起来像这样(或多或少.代码在PHP中，但实际上可以是任何东西.):

My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.):

header("Content-type: application/json; charset=utf-8");
echo $_GET['callback'] . '(' . json_encode($data) . ')';

这是经典的XSS漏洞.

This is a classic XSS-vulnerability.

如果需要消毒，怎么办?我找不到有关可能允许使用的回调字符串的足够信息.我引用了维基百科:

If I need to sanitize it, then how? I was unable to find enough information about what might be allowed callback strings. I quote from Wikipedia:

尽管填充(前缀)通常是在浏览器的执行上下文中定义的回调函数的名称，但它也可以是变量赋值，if语句或任何其他Javascript语句前缀.

While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other Javascript statement prefix.

推荐答案

是的，当callback类似于

(function xss(x){evil()})

当您从php回显时，将看起来像

When you echo back from php, will looks like

(function xss(x){evil()})(json)

xss函数将运行，evil()可能是一些将cookie发送到其他地方的代码.

function xss will run and evil() can be some codes sending cookies to somewhere else.

因此，将其清除为仅有效的函数名称，例如，将其限制为字母数字

So, sanitize it to only valid function names, for example, limit it to alphanumeric

这篇关于我是否需要清理JSONP调用中的回调参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！