安全读取查询字符串参数的最佳方法? [英] Best way to safely read query string parameters?
问题描述
我们有一个项目,该项目生成可用于其他各种项目的代码段.该代码的目的是从查询字符串中读取两个参数,并将它们分配给iframe的"src"属性.
We have a project that generates a code snippet that can be used on various other projects. The purpose of the code is to read two parameters from the query string and assign them to the "src" attribute of an iframe.
例如,URL为> http://oursite/Page.aspx的页面?a = 1& b = 2 中将包含JavaScript来读取"a"和"b"参数.然后,JavaScript将根据这些参数设置iframe的"src"属性.例如,< iframe src ="http://someothersite/Page.aspx?a = 1& b = 2"/>"
For example, the page at the URL http://oursite/Page.aspx?a=1&b=2 would have JavaScript in it to read the "a" and "b" parameters. The JavaScript would then set the "src" attribute of an iframe based on those parameters. For example, "<iframe src="http://someothersite/Page.aspx?a=1&b=2" />"
我们当前正在使用服务器端代码来执行此操作,该代码使用Microsoft的Anti Cross-Scripting库来检查参数.但是,一项新要求表明我们需要使用JavaScript,并且不能使用任何第三方JavaScript工具(例如jQuery或Prototype).
We're currently doing this with server-side code that uses Microsoft's Anti Cross-Scripting library to check the parameters. However, a new requirement has come stating that we need to use JavaScript, and that it can't use any third-party JavaScript tools (such as jQuery or Prototype).
我知道的一种方法是在使用参数之前替换参数中的所有<",单引号和双引号实例,但这对我来说似乎不够安全.
One way I know of is to replace any instances of "<", single quote, and double quote from the parameters before using them, but that doesn't seem secure enough to me.
参数之一始终是"P",后跟9个整数. 另一个参数始终是15个字母数字字符. (感谢利亚姆建议我说清楚).
One of the parameters is always a "P" followed by 9 integers. The other parameter is always 15 alpha-numeric characters. (Thanks Liam for suggesting I make that clear).
有人对我们有什么建议吗?
Does anybody have any suggestions for us?
非常感谢您的宝贵时间.
Thank you very much for your time.
推荐答案
不要使用转义和unescape,请使用encodeURIComponent. 例如.
Don't use escape and unescape, use decodeURIComponent. E.g.
function queryParameters(query) {
var keyValuePairs = query.split(/[&?]/g);
var params = {};
for (var i = 0, n = keyValuePairs.length; i < n; ++i) {
var m = keyValuePairs[i].match(/^([^=]+)(?:=([\s\S]*))?/);
if (m) {
var key = decodeURIComponent(m[1]);
(params[key] || (params[key] = [])).push(decodeURIComponent(m[2]));
}
}
return params;
}
并传递document.location.search.
and pass in document.location.search.
至于<到& lt;中,这不足以确保可以在不运行脚本的情况下将内容安全地注入HTML.确保您对以下<,>,&和."进行转义.
As far as turning < into <, that is not sufficient to make sure that the content can be safely injected into HTML without allowing script to run. Make sure you escape the following <, >, &, and ".
这不能保证参数没有被欺骗.如果您需要验证其中一台服务器生成了URL,请对URL签名进行搜索.
It will not guarantee that the parameters were not spoofed. If you need to verify that one of your servers generated the URL, do a search on URL signing.
这篇关于安全读取查询字符串参数的最佳方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
