安全地发布然后打印JavaScript标签 [英] Securely posting and then printing JavaScript tags

问题描述

我正在尝试使用PHP开发后端广告检查应用程序.我们有很多可以展示广告的地方，几乎所有地方都有其独特的要求(它们都显示在游戏中，这就是每个人的大小，重量，格式等不同的原因).由于这可能会导致针对不同游戏的广告系列产生很多混乱(代理机构向我们发送格式错误的广告)，因此我们需要检查每个广告，以确保其能够正常工作.

I am trying to develop a back-end Ad Checking application in PHP. We have lots of places where ads can be shown and almost all of them has its unique requirements (they are shown inside games, that is why everyone is different in size, weight, format, etc.). Since this can cause lots of confusions on campaigns targeting different games (with the agencies sending us ads with the wrong formats), we need to check every ad to make sure it works as expected.

如果我们的客户向我们发送了要检查的广告文件，则该应用程序运行良好.但是大多数情况下，它们会发送Adserver标签，以便他们跟踪结果，这些标签通常是javascript和iframe标签.

The application works fine if our clients send us the Ad File to check. But most of the time they send Adserver tags, so they can keep track of the results, and those tags generally are javascript and iframe tags.

问题是如何安全地允许在所有浏览器上插入javascript和iframe代码并将其呈现到回发页面上的页面(以进行视觉检查)，而又不会冒XSS问题的风险?

The problem is how to securelly allow the insertion of javascript and iframe code, and render that to the page on the postback page (for visual checking), on all browsers, without risking XSS problems?

由于安全措施，目前，我设法将代码发布并打印到所有浏览器(但不是Chrome)上的回发页面上.但是，由于无论如何我都必须解决该问题，我如何才能使其在所有浏览器上都能正常工作，并且仍然确保该应用程序是安全的?

At the moment, I've managed to post the code and print to the postback page on all browsers, but Chrome, because of the security measures. But since I'm gonna have to tackle that issue anyway, how can I make it work on all browsers and still be sure the application is safe?

谢谢. Decio

推荐答案

如果包含第3方javascript代码，则始终会冒XSS的风险.假设您正在测试广告提供商提供的代码:

If you include 3rd party javascript code, you are always risking XSS. Let's say, you're testing the code from ad provider:

<script src="http://some3rdPartySite.com/script.js"></script>

可以更改
1. 脚本以使其显示，并在目标域和所有其他页面上导致不同的结果.也就是说，您可以看到它想要如何显示给您，但是您不确定在某些客户的游戏中它是否会相同.
2. 广告提供商可以随时在测试后更改其服务器上的脚本.

如果您不信任广告供应商，建议让他们选择图片+ URL或iframe URL +尺寸.您也可以使用iframe进行不良操作"(例如破坏框架，从而从客户页面重定向)，但是您仍然必须遵守跨域策略.如果您允许执行javascript代码，则不是这种情况.

If you do not trust your ad vendors, I suggest to let them choose image + URL or iframe URL + dimensions. You can do "bad stuff" with Iframe too (like frame-busting thus redirecting from your customer page), but you still must obey cross-domain policy. This is not the case if you let javascript code to be executed.

您还可以为广告供应商提供自己的分析工具，以满足他们的需求.

You could also provide your own analytics for ad vendors to fill their needs.

无论如何，要测试javascript结果，您可以在任何浏览器中使用Selenium驱动程序: http://seleniumhq.org/ .它使您可以加载任何页面，执行javascript代码并获取结果.这样，您可以加载JavaScript代码，在DOM中搜索节点并检查其尺寸等.

Anyway, for testing javascript results you could use Selenium drivers with any browser: http://seleniumhq.org/. It let's you to load any page, execute javascript code and get results. In this way you could load your javascript code, search DOM for nodes and check their dimensions etc.

此外，您还可以查看sahi: http://sahi.co.in/w/

Also, you can look at sahi: http://sahi.co.in/w/

这篇关于安全地发布然后打印JavaScript标签的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！