防止XSS攻击并仍然使用Html.Raw [英] Prevent XSS attacks and still use Html.Raw

问题描述

我有CMS系统，正在使用CK编辑器输入数据.现在，如果用户键入<script>alert('This is a bad script, data');</script>，则CKEditor会完成公平的工作并将其正确编码，然后将<script>alert('This is a bad script, data')</script>传递给服务器.

I have CMS system where I am using CK Editor to enter data. Now if user types in <script>alert('This is a bad script, data');</script> then CKEditor does the fair job and encodes it correctly and passes <script>alert('This is a bad script, data')</script> to server.

但是，如果用户进入浏览器开发人员工具(使用Inspect元素)并将其添加到内部(如下面的屏幕截图所示)，则这是所有麻烦开始的时候.现在，从数据库检索回来后，当它显示在浏览器中时，它会显示警告框.

But if user goes into browser developer tools (using Inspect element) and adds this inside it as shown in the below screen shot then this is when all the trouble starts. Now after retrieving back from DB when this is displayed in Browser it presents alert box.

到目前为止，我已经尝试了许多不同的东西

So far I have tried many different things one them is

• 使用

• Encode the contents using AntiXssEncoder [HttpUtility.HtmlEncode(Contents)] and then store it in database and when displaying back in browser decode it and display it using MvcHtmlString.Create [MvcHtmlString.Create(HttpUtility.HtmlDecode(Contents))] or Html.Raw [Html.Raw(Contents)] as you may expect both of them displays JavaScript alert.

我不想通过代码手动替换<script>，因为它是

I don't want to replace the <script> manually thru code as it is not comprehensive solution (search for "And the encoded state:").

到目前为止，我已经引用了许多文章(很抱歉，这里没有列出所有文章，只是添加了很少的证据来表明我在写这个问题之前已经做出了真诚的努力)，但是没有一篇文章提供显示答案的代码.可能有一些简单的答案，我的方向不是正确的，或者根本不是那么简单，我可能需要使用

So far I have referred many articles (sorry not listing them all here but just adding few as proof to show I have put sincere efforts before writing this question) but none of them have code which shows the answer. May be there is some easy answer and I am not looking in right direction or may be it is not that simple at all and I may need to use something like Content Security Policy.

具有AntiXSS保护的ASP.Net MVC HTML.Raw 使用@ Html.Raw是否存在风险? http://blog.simontimms. com/2013/01/21/content-security-policy-for-asp-net-mvc/ http://blog.michaelckennedy. net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/

要重现我的意思，请转至* 此网址，然后在文本框中键入<script>alert('This is a bad script, data');</script>，然后单击按钮.

To reproduce what I am saying go to *this url and in the text box type <script>alert('This is a bad script, data');</script> and click the button.

*此链接来自迈克尔·肯尼迪的博客

*This link is from Michael Kennedy's blog

推荐答案

这并不容易，您可能不想这样做.我是否可以建议您使用比HTML更简单的语言来进行最终用户格式化的输入?我认为， Stackoverflow 使用的Markdown呢?还是现有的Wiki之一或其他轻量级标记语言?

It isn't easy and you probably don't want to do this. May I suggest you use a simpler language than HTML for end user formatted input? What about Markdown which (I believe) is used by Stackoverflow. Or one of the existing Wiki or other lightweight markup languages?

如果您确实允许使用HTML，我建议您采取以下措施:

If you do allow Html, I would suggest the following:

• 仅支持HTML的固定子集
• 用户提交内容后，解析HTML并根据允许的标签和属性白名单对其进行过滤.
• 毫不留情地过滤并消除所有不确定的内容.

现有的工具和库都可以执行此操作.我没有使用过它，但是我确实偶然发现了 http://htmlpurifier.org/.我认为还有很多其他人. Rick Strahl已发布了一个.NET的示例，但是我不确定它是否完整.

There are existing tools and libraries that do this. I haven't used it, but I did stumble on http://htmlpurifier.org/. I assume there are many others. Rick Strahl has posted one example for .NET, but I'm not sure if it is complete.

大约十年前，我尝试编写自己的白名单过滤器.它解析并规范化了输入的HTML.然后，它删除了所有不在允许的白名单中的元素或属性.它工作得很好，但是您永远都不知道您错过了哪些漏洞.这个项目早已死了，但是如果我不得不再做一次，那我将使用现有的更简单的标记语言而不是Html.

About ten years ago I attempted to write my own whitelist filter. It parsed and normalized the entered Html. Then it removed any elements or attributes that were not on the allowed whitelist. It worked pretty well, but you never know what vulnerabilities you've missed. That project is long dead, but if I had to do it over I would have used an existing simpler markup language rather than Html.

用户可以通过多种方式将讨厌的内容注入您的页面，因此必须采取严厉措施以防止这种情况的发生.甚至CSS也可以用于将可执行表达式插入您的页面，例如:

There are so many ways for users to inject nasty stuff into your pages, you have to be fierce to prevent this. Even CSS can be used to inject executable expressions into your page, like:

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

此处是包含已知攻击列表的页面，夜晚.如果您无法过滤并阻止所有这些操作，那么您还不准备让不受信任的用户发布公众可以查看的格式化内容.

Here is a page with a list of known attacks that will keep you up at night. If you can't filter and prevent all of these, you aren't ready for untrusted users to post formatted content viewable by the public.

就在我使用自己的过滤器的那段时间，MySpace(哇，我老了)被称为 .

Right around the time I was working on my own filter, MySpace (wow I'm old) was hit by an XSS Worm known as Samy. Samy used Style attributes with embedded background Url that had a javascript payload. It is all explained by the author.

请注意，您的示例页面表示:

此页面 meant 可以接受和显示受信任的原始HTML 编辑.

This page is meant to accept and display raw HTML by trusted editors.

这里的关键问题是信任.如果您的所有用户都是受信任的(例如某个网站的员工)，那么这里的风险会更低.但是，如果您要建立一个论坛或社交网络或约会网站，或者任何允许不受信任的用户输入其他人可以查看的格式化内容的网站，则要清理Html会很困难.

The key issue here is trust. If all of your users are trusted (say employees of a web site), then the risk here is lower. However, if you are building a forum or social network or dating site or anything that allows untrusted users to enter formatted content that will be viewable by others, you have a difficult job to sanitize Html.

这篇关于防止XSS攻击并仍然使用Html.Raw的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！