是< span style = ...>安全消毒吗? [英] Is <span style=...> safe for sanitize?

问题描述

我正在使用RTF编辑器(CKEditor)，并且有机会让用户创建可以显示给其他用户的配置文件.

I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users.

当我将它们显示为以下内容时，CKEditor可以控制的许多属性都丢失了:

Many of the attributes CKEditor can control are being lost when I display them as:

<%= sanitize(profile.body) %>

我的问题是:允许解析属性样式"是否安全?这样可以显示文本颜色，大小，背景颜色，居中，缩进等内容.我只想确保它不会允许黑客访问我不知道的东西！

My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about!

推荐答案

允许解析属性样式"是否安全?

is it safe to allow the attribute 'style' to be parsed?

否.

background-image: url(javascript:[code]);
width: expression([code]);                  /* ie */
behavior: url([link to code]);              /* ie */
-moz-binding: url([link to code]);          /* ff */

更不用说UI欺骗攻击，例如将假登录表单放置在真实表单或某物上.

Not to mention UI-spoofing attacks like positioning a false login form over a real one or something.

这篇关于是< span style = ...>安全消毒吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！