树枝:允许HTML,但转义脚本 [英] Twig: Allow HTML, but escape script
问题描述
我正在研究针对我的应用程序的可能的XSS
攻击媒介.
I am investigating a possible XSS
attack vector for my application.
我所拥有的:
- 具有单个
textarea
字段的FormType.通常,该字段可以包含html
标签. -
Twig
模板,用于呈现插入的数据.
- FormType with a single
textarea
field. Normally this field can containhtml
tags. Twig
template that renders the data inserted.
我使用该表格插入以下内容:
I use that form to insert the following content:
<b>Some valid HTML text</b>
<script type="text/javascript">alert("XSS")</script>
查看该数据需要转义.对于数据转义,我不熟悉几种策略.
Viewing that data would require escaping. I am familiar with few strategies when it comes to escaping the data.
1)raw
过滤器:完全禁用转义->引入可能的XSS
1) raw
filter: Completely disables escaping -> introduces possible XSS
2)e
过滤器:
-
html
风味输出:<b>Some valid HTML text</b> <script type="text/javascript">alert("XSS")</script>
-
js
风味输出:\x3Cb\x3ESome\x20valid\x20HTML\x20text\x3C\x2Fb\x3E\x0D\x0A\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3Ealert\x28\x22XSS\x22\x29\x3C\x2Fscript\x3E
html
flavor outputs:<b>Some valid HTML text</b> <script type="text/javascript">alert("XSS")</script>
js
flavor outputs:\x3Cb\x3ESome\x20valid\x20HTML\x20text\x3C\x2Fb\x3E\x0D\x0A\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3Ealert\x28\x22XSS\x22\x29\x3C\x2Fscript\x3E
3){{ var|striptags('<br>')|raw }}
,输出:一些有效的HTML文本 alert("XSS")
3) {{ var|striptags('<br>')|raw }}
, outputs: Some valid HTML text alert("XSS")
这是可行的,但是我不喜欢它.我宁愿在寻找黑名单解决方案,而不是白名单.
This one works, but somehow I don't like it. I am rather looking for a black-list solution, not white-list.
现在的问题:
是否还有其他转义策略允许html
标签但像e("js")
过滤器一样转义<script>
标签?
Is there any other escaping strategy that allows html
tags but escapes <script>
tag like e("js")
filter does?
我应该在表单提交过程中还是在Twig
渲染过程中杀死"脚本吗?
Should I "kill" the script during the form submission or during the Twig
rendering?
推荐答案
我建议添加一个新的满足您需求的Twig过滤器.
I would suggest adding a new Twig filter that fits your needs.
它应该看起来像
{{var | filter_black_listed() }}
,然后在过滤器逻辑中添加类似
and in the filter logic you add something like
class FilterBlackListedExtension extends \Twig_Extension
{
private $blacklistedTags = ['script', 'p'];
public function getFilters()
{
return array(
new \Twig_SimpleFilter('filter_black_listed', array($this, 'htmlFilter')),
);
}
public function htmlFilter($html)
{
foreach ($this->blacklistedTags as $tag) {
preg_replace('/(<' . $tag . '>)(.*)(<\/' . $tag . '>)/g', '', $html);
}
return $html; // maybe even apply the raw filter also afterwards.
}
public function getName()
{
return 'filter_black_listed_extension';
}
}
让我知道您是否无法完成这项工作:)
let me know if you don't manage to make this work :)
这篇关于树枝:允许HTML,但转义脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!