角度2:清理HTML会剥离带有div id的某些内容-这是错误还是功能? [英] Angular 2: sanitizing HTML stripped some content with div id - this is bug or feature?
问题描述
我使用<div [innerHTML]="body"></div>将未转义的HTML传递给模板,并且当我将具有属性id的body div传递给Angular时:
I use <div [innerHTML]="body"></div> to pass unescaped HTML to my template, and when I pass to body div with attribute id, Angular throw:
警告:清理HTML会剥离一些内容(请参见 http://g.co/ng/security#xss ). 警告:清理HTML会剥离一些内容(请参见 http://g.co/ng/security#xss). 警告:清理HTML会剥离一些内容(请参见 http://g.co/ng/security#xss).
WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss). WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss). WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).
那为什么这么说呢? div中的id有什么危险?这个错误可以吗?
So why it says this? What can be dangerous id in div? Could this bug?
推荐答案
这是因为id属性不安全.
It is because id attribute is not safe.
这不是我的答案,但会回答您的问题: https ://security.stackexchange.com/questions/88973/why-do-id-attributes-need-stricter-validation
This is not my answer but it will answer your question : https://security.stackexchange.com/questions/88973/why-do-id-attributes-need-stricter-validation
对于id和name,这些属性通常用作DOM中的参考点.
For id and name, these attributes are frequently used as reference points in the DOM.
如果攻击者可以欺骗这些参考点,则她可以欺骗现有脚本从非设计的地方获取和设置值,这可能会很危险,具体取决于所使用的上下文.
请注意:他的其余文章都讨论了name属性,但是如果您还不了解上述内容,那么您将在所有这些内容中得到启发
Note from me: The rest of his post talks about the name attribute, but you'll get the idea behind all this if you don't already by what's above
这也适用于HTML表单,其中name用于标识名称/值对.例如,如果网站在输出时未对特定的表单字段进行编码,但是由于表单字段是服务器生成的,并且使用令牌保护了表单免受CSRF的侵害,则无法通过常规手段加以利用.但是,攻击者可能能够诱使用户使用name中使用的参数来访问URL,该参数包含要在提交表单时执行的XSS有效载荷.
This also applies to HTML forms where name is used to identify the name/value pair. For example, if a website does not encode a particular form field when it is output, but since the form field is server generated and the form is protected against CSRF by the use of tokens it cannot be exploited by normal means. However, an attacker may be able to entice a user to visit a URL with a parameter that is used in name, containing an XSS payload to execute on submission of the form.
例如正常使用:
https://example.com/product?item_name=watch&qty=1
呈现表单
<form>
<input type="hidden" name="watch" value="1" />
<input type="hidden" name="shop_name" value="Bob's Supplies" />
<input type="hidden" name="anti-csrf" value="asdjasodhoai" />
<input type="submit" value="Click here to buy" />
</form>
然后输出为
Thank you for buying from Bob's Supplies.
但是,攻击者可以像这样将链接发送给用户:
However, an attacker could send a link to the user like so:
https://example.com/product?item_name=shop_name&qty=<script>alert('xss')</script>
由于应用程序此时正确地进行了HTML编码,因此将表单呈现为
As the application is correctly HTML encoding at this point it renders the form as
<form>
<input type="hidden" name="shop_name" value="<script>alert('xss')</script>" />
<input type="hidden" name="shop_name" value="Bob's Supplies" />
<input type="hidden" name="anti-csrf" value="asdjasodhoai" />
<input type="submit" value="Click here to buy" />
</form>
然后将其输出为
Thank you for buying from <script>alert('xss')</script>.
,因为此页面未对shop_name参数进行HTML编码,因为它是受信任的,并且在重复的情况下,应用程序框架始终采用第一个值.非常人为,但这是我首先要证明这一点的事情.
since this page doesn't HTML encode the shop_name parameter because it is trusted and the application framework always takes the first value in case of duplicates. Very contrived, but it was the first thing that fell into my head to demonstrate the point.
这篇关于角度2:清理HTML会剥离带有div id的某些内容-这是错误还是功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
