如何串联模板网址角度不太安全比在其他地方? [英] How is concatenating urls in templates in angular less secure than in other locations?
问题描述
我有一个angularjs模板,类似于此:
I have an angularjs template which looks similar to this:
<img ng:src="/resources/{{id}}/thumbnail" />
不过,这将导致一个 $插值:noconcat错误。相比之下,这个模板:
However this results in an $interpolate:noconcat error. In contrast to that this template:
<img ng:src="{{fullUrl}}" />
甚至是:
<img ng:src="{{id|createThumbnailURL}}" />
(其中createThumbnailURL是一个简单的过滤器,它确实与上述相同concatination)工作完全细
(where createThumbnailURL is a simple filter which does the same concatination as above) work totally fine.
该文件说:
串联前pressions使得它很难推理是否有些
连接值的组合是不安全的使用,可以很容易地
导致XSS。
Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could easily lead to XSS.
恩,是的,静态的URL总是比较容易比串联一个评估,我看有道理。然而,它听起来并不少见,我有REST的API有可以通过简单的串联构造URL和串联必须做的 somehwere 的。我能做到这一点在控制器甚至服务器端,而如何改善东西移到别处串联吗和什么是解决这个问题的推荐方法?
Well yes, a static URL is always easier to assess than a concatenated one, I see the point there. However it does not sound uncommon to me to have REST-APIs that have URLs that can be constructed by simple concatenation and that concatenation has to be done somehwere. I can do it in the controller or even server-side, but how does that improve anything to move the concatenation elsewhere? And what is the recommended way to deal with the problem?
更新
下面是错误示范:<一href=\"http://cipher-$c$c.de/tmp/angular3/index.xhtml\">http://cipher-$c$c.de/tmp/angular3/index.xhtml
也许它与页面存在XML做的。
Maybe it has to do with the page being XML.
推荐答案
这就是所谓的SCE(严格语境转义):
像许多严的模式,这是可配置。但是,随着V 1.2的它会自动设置为true。
This is called SCE (Strict Contextual Escaping): Like many "strictness" modes, this is configurable. But as of V 1.2 it is automatically set to true.
更具体地,在上下文角认为是易受伤害(如网址的),有允许(严)少插。您的网址串联被消毒。
More specifically, in contexts Angular considers to be vulnerable (like url's), there is less interpolation allowed (Strictness). Your URL concatenation is being "sanitized".
您已经知道了原因: XSS攻击的。它也可用于开发者的保护:轻微错误的URL可能导致数据删除或覆盖
You are already aware of the reason: XSS attacks. It's also used for the developer's protection: a slightly wrong url could cause data deletes or overwriting.
你可能感到困惑,为什么满弦插值 NG:SRC ={{fullUrl}}是所以比字符串连接纳克安全得多:SRC =/资源/ {{ID}} /缩略图。 TBH,我不知道有一个严重差异,但这些都是主观判断。
You're probably confused why full string interpolation ng:src="{{fullUrl}}" is so much safer than string concatenation ng:src="/resources/{{id}}/thumbnail". TBH, I'm not sure there's a serious difference, but these are judgement calls.
您必须处理这一烦恼一些替代:
You have some alternatives for dealing with this annoyance:
1)裹在 $ sce.trustAs您的网址建设()
<img ng:src="sce.trustAs('url', '/resources/{{id}}/thumbnail')" />
2)您可以在您的应用程序禁用SCE,如果你选择
2) You can disable SCE across your application, if you choose
angular.module('myApp').config(function($sceProvider) {
$sceProvider.enabled(false);
});
更正:
您不能调用从指令的$ SCE服务。只有$范围服务直接可用。但是你可以使用函数(或使用功能的指令)。
You can't call the $sce service from a directive. Only the $scope service is directly available. But you can use a function (or a directive that uses a function).
$scope.createUrl = function (strName) {
var truststring = '/resources/' + strName + '/thumbnail';
return truststring;
}
和您的电话指令看起来像
and your directive call would look like
<img ng:src="{{ createUrl(id) }}" />
在此情况下,如果你的包在串联功能,你甚至可能不会需要去清理它,因为你不会被打破SCE规则。
In this case, if you wrap your concatenation in a function, you may not even need to de-sanitize it since you won't be breaking SCE rule.
这篇关于如何串联模板网址角度不太安全比在其他地方?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
