建立链接时缓解XSS攻击 [英] Mitigate xss attacks when building links

问题描述

我前不久发布了这个问题，它对于从用户生成的帖子中查找和链接"链接非常有用. Linkify Regex函数PHP大胆的火球方法

I posted this question a while back and it is working great for finding and 'linkifying' links from user generated posts. Linkify Regex Function PHP Daring Fireball Method

   <?php
if (!function_exists("html")) {
function html($string){
    return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}
}

if ( false === function_exists('linkify') ):   
  function linkify($str) {
$pattern = '(?xi)\b((?:(http)s?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»""‘’]))';
return preg_replace_callback("#$pattern#i", function($matches) {
    $input = $matches[0];
    $url = $matches[2] == 'http' ? $input : "http://$input";
    return '<a href="' . $url . '" rel="nofollow" target="_blank">' . "$input</a>";
}, $str); 
}
endif;

echo "<div>" . linkify(html($row_rsgetpost['userinput'])) . "</div>";

?>

我担心我可能会通过将用户生成的内容插入链接来引入安全隐患.在通过linkify函数运行它并回显页面之前，我已经使用htmlspecialchars($string, ENT_QUOTES, 'UTF-8')转义了来自数据库的用户内容，但是我已经读过OWASP，需要对链接属性进行特殊处理以缓解XSS.我认为此功能还可以，因为它将用户生成的内容放在双引号中，并且已经使用htmlspecialchars($string, ENT_QUOTES, 'UTF-8')进行了转义，但是我非常感谢具有xss专业知识的人对此进行确认.谢谢！

I am concerned that I may be introducing a security risk by inserting user generated content into a link. I am already escaping user content coming from my database with htmlspecialchars($string, ENT_QUOTES, 'UTF-8') before running it through the linkify function and echoing back to the page, but I've read on OWASP that link attributes need to be treated specially to mitigate XSS. I am thinking this function is ok since it places the user-generated content inside double quotes and has already been escaped with htmlspecialchars($string, ENT_QUOTES, 'UTF-8'), but would really appreciate someone with xss expertise to confirm this. Thanks!

推荐答案

您的正则表达式正在查找http或https的url.该表达式似乎相对安全，因为in不会检测到不是url的任何内容.

Your regular expression is looking for urls that are of http or https. That expression seems to be relatively safe as in does not detect anything that is not a url.

XSS漏洞来自将url作为html参数转义.这意味着确保url不能过早地转义url字符串，然后向@Rook提到的html标签添加额外的属性.

The XSS vulnerability comes from the escaping of the url as html argument. That means making sure that the url cannot prematurely escape the url string and then add extra attributes to the html tag that @Rook has been mentioning.

因此，我真的无法考虑如何使用@tobyodavies建议的以下代码执行XSS攻击，但是没有urlencode，它可以执行其他操作:

So I cannot really think of a way how an XSS attack could be performed the following code as suggested by @tobyodavies, but without urlencode, which does something else:

$pattern = '(?xi)\b((?:(http)s?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»""‘’]))';
return preg_replace_callback("#$pattern#i", function($matches) {
    $input = $matches[0];
    $url = $matches[2] == 'http' ? $input : "http://$input";
    return '<a href="' . htmlspecialchars($url) . '" rel="nofollow" target="_blank">' . "$input</a>";
}, $str); 

请注意，我还添加了一个用于检查http前缀的小快捷方式.

Note that I have also a added a small shortcut for checking the http prefix.

现在，您生成的锚链接是安全的.

Now the anchor links that you generate are safe.

但是，您还应该清理其余文本.我想您根本不想允许任何html并将所有html显示为明文.

However you should also sanitize the rest of the text. I suppose that you don't want to allow any html at all and display all the html as clear text.

这篇关于建立链接时缓解XSS攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！