是< span style = ...>安全消毒吗? [英] Is <span style=...> safe for sanitize?
问题描述
我正在使用RTF编辑器(CKEditor),并且有机会让用户创建可以显示给其他用户的配置文件.
I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users.
当我将它们显示为以下内容时,CKEditor可以控制的许多属性都丢失了:
Many of the attributes CKEditor can control are being lost when I display them as:
<%= sanitize(profile.body) %>
我的问题是:允许解析属性样式"是否安全?这样可以显示文本颜色,大小,背景颜色,居中,缩进等内容.我只想确保它不会允许黑客访问我不知道的东西!
My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about!
推荐答案
允许解析属性样式"是否安全?
is it safe to allow the attribute 'style' to be parsed?
否.
background-image: url(javascript:[code]);
width: expression([code]); /* ie */
behavior: url([link to code]); /* ie */
-moz-binding: url([link to code]); /* ff */
更不用说UI欺骗攻击,例如将假登录表单放置在真实表单或某物上.
Not to mention UI-spoofing attacks like positioning a false login form over a real one or something.
这篇关于是< span style = ...>安全消毒吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!