带有占位符的邮件属性中的html标记-XSS潜力 [英] html markup in messages properties with placeholders - XSS potential
问题描述
在消息属性文件中给出消息:
Given the message in a messages properties file:
message = Change relation <strong>{0}</strong> -> <strong>{1}</strong> to <strong>{2}</strong> -> <strong>{3}</strong>?
如果任何占位符的内容是用户影响的字符串,则我需要对消息进行html转义以防止潜在的XSS(我想通过在JSP模板中使用c:out标记来实现,我也可以使用spring:message标签的htmlEscape-attribute,但我认为没有区别.
if the content of any of the placeholders is a user-influenced string, I need to html escape the message in order to prevent a potential XSS (I do that by using the c:out tag in my JSP templates, I guess I could use the htmlEscape-attribute of the spring:message tag as well, but I think there's no difference).
但是,这样做会破坏消息中的标记<strong>等,从而导致输出:
However by doing so, I corrupt the markup in the message, <strong> etc. which leads to the output:
Change relation <strong>Peter</strong> -> <strong>Car</strong> to <strong>Carl</strong> -> <strong>Bus</strong>?
我已经在在stackoverflow上,但它不解决XSS.
I've already read the thread here on stackoverflow but it does not address XSS.
我正在考虑以下选项:
1)只需将消息属性文件中的所有<strong>标记替换为单引号即可.这样,用html来转义整个消息就没有问题了,其缺点是突出显示了消息的特定部分.
1) Simply replace all <strong> tags from the messages properties files with single quotes. Then there's no problem html escaping the entire message, with the drawback of a little less highlighting of the specific parts of the message.
2)将消息拆分为多个部分,这些部分允许在(JSP)模板中进行单独的标记.要做正确的标记感觉很艰巨.
2) Split the message into parts which allow for separate markup in the (JSP) template. This feels like much work just to get the markup right.
我在这里错过了什么吗?哪个是更好的选择,或者还有另一个选择?
Am I missing something here? Which is the better option, or is there another option?
无需html转义,消息就是这样,就像我想要的那样:
Without html-escaping the message is, like I want it to be, like this:
将关系彼得-> 汽车更改为卡尔-> 公共汽车?
Change relation Peter -> Car to Carl -> Bus?
因此,当显示在模板中时,将呈现messages.properties文件中的html标记.
So the html-markup as in the messages.properties file is being rendered when displayed in the template.
转义时,消息如上,向我显示<strong>标签而不是呈现它们.
When escaping, the message is like above, showing me the <strong> tags instead of rendering them.
推荐答案
假设您获得以下输出:
Change relation <strong>Peter</strong> -> <strong>Car</strong> to <strong>Carl</strong> -> <strong>Bus</strong>
您似乎正在转义整个HTML字符串,而不只是转义了需要转义的部分.
It looks like you are escaping your entire HTML string rather than just the part that needs to be escaped.
您应该单独对每个{#}值进行转义,然后将其放入HTML中.您需要转义的常规值为:<,>,',"和&,但是如果可以的话,请使用anti-xss库和模板系统.
You should escape each {#} value on its own, and then place it into the HTML. The general values you need to escape are: <, >, ', ", and &, but use an anti-xss library and templating system if you can.
一旦您逃脱了所有潜在的危险部分,则可以使用<c:out value="${msg}" escapeXml="false"/>之类的东西.这不是我所知道的语言/框架,但是您需要某种方式来输出实际的HTML与转义的版本.只要您正确地逃脱了不受信任的部分,无论您喜欢哪种方式都应该没问题.
Once you've escaped all the potentially dangerous parts, you can use something like <c:out value="${msg}" escapeXml="false"/>. This is not a language/framework I know, but you need some way to output the actual HTML vs the escaped version. Whatever way you prefer should be fine as long as you properly escape the untrusted part.
这篇关于带有占位符的邮件属性中的html标记-XSS潜力的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
