树枝:允许HTML,但转义脚本 [英] Twig: Allow HTML, but escape script

查看:103
本文介绍了树枝:允许HTML,但转义脚本的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在研究针对我的应用程序的可能的XSS攻击媒介.

I am investigating a possible XSS attack vector for my application.

我所拥有的:

  • 具有单个textarea字段的FormType.通常,该字段可以包含html标签.
  • Twig模板,用于呈现插入的数据.
  • FormType with a single textarea field. Normally this field can contain html tags.
  • Twig template that renders the data inserted.

我使用该表格插入以下内容:

I use that form to insert the following content:

<b>Some valid HTML text</b>
<script type="text/javascript">alert("XSS")</script>

查看该数据需要转义.对于数据转义,我不熟悉几种策略.

Viewing that data would require escaping. I am familiar with few strategies when it comes to escaping the data.

1)raw过滤器:完全禁用转义->引入可能的XSS

1) raw filter: Completely disables escaping -> introduces possible XSS

2)e过滤器:

  • html风味输出:<b>Some valid HTML text</b> <script type="text/javascript">alert("XSS")</script>
  • js风味输出:\x3Cb\x3ESome\x20valid\x20HTML\x20text\x3C\x2Fb\x3E\x0D\x0A\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3Ealert\x28\x22XSS\x22\x29\x3C\x2Fscript\x3E
  • html flavor outputs: <b>Some valid HTML text</b> <script type="text/javascript">alert("XSS")</script>
  • js flavor outputs: \x3Cb\x3ESome\x20valid\x20HTML\x20text\x3C\x2Fb\x3E\x0D\x0A\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3Ealert\x28\x22XSS\x22\x29\x3C\x2Fscript\x3E

3){{ var|striptags('<br>')|raw }},输出:一些有效的HTML文本 alert("XSS")

3) {{ var|striptags('<br>')|raw }}, outputs: Some valid HTML text alert("XSS")

这是可行的,但是我不喜欢它.我宁愿在寻找黑名单解决方案,而不是白名单.

This one works, but somehow I don't like it. I am rather looking for a black-list solution, not white-list.

现在的问题:

是否还有其他转义策略允许html标签但像e("js")过滤器一样转义<script>标签?

Is there any other escaping strategy that allows html tags but escapes <script> tag like e("js") filter does?

我应该在表单提交过程中还是在Twig渲染过程中杀死"脚本吗?

Should I "kill" the script during the form submission or during the Twig rendering?

推荐答案

我建议添加一个新的满足您需求的Twig过滤器.

I would suggest adding a new Twig filter that fits your needs.

它应该看起来像

{{var | filter_black_listed() }}

,然后在过滤器逻辑中添加类似

and in the filter logic you add something like

class FilterBlackListedExtension extends \Twig_Extension
{
    private $blacklistedTags = ['script', 'p'];

    public function getFilters()
    {
        return array(
            new \Twig_SimpleFilter('filter_black_listed', array($this, 'htmlFilter')),
        );
    }

    public function htmlFilter($html)
    {
        foreach ($this->blacklistedTags as $tag) {
            preg_replace('/(<' . $tag . '>)(.*)(<\/' . $tag . '>)/g', '', $html);
        }

        return $html; // maybe even apply the raw filter also afterwards.
    }

    public function getName()
    {
        return 'filter_black_listed_extension';
    }
}

让我知道您是否无法完成这项工作:)

let me know if you don't manage to make this work :)

这篇关于树枝:允许HTML,但转义脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆