安全性如何的客户端HTML清理? [英] How safe is client-side HTML Sanitization?
问题描述
我一直在寻找Pagedown.js最近使用我的网页上,而不是丑陋的只读文本域减价的诱惑力。
I have been looking at Pagedown.js lately for the allure of using mark-down on my pages instead of ugly readonly textareas.
我非常谨慎,但是,因为它似乎很容易欺骗的消毒器。我看到周围Angular.js一些讨论,它的HTML绑定,也听到了东西的时候Knockout.js 3.0传出曾有过一个previous unsafeness到HTML结合。
I am extremely cautious though as it seems easy enough to dupe the sanitized converter. I have seen some discussion around Angular.js and it's html bindings and also heard something when Knockout.js 3.0 came out that there had been a previous unsafeness to the html binding.
这似乎所有的人都需要做Pagedown.js禁用消毒剂比如是一样的东西 -
It would seem all someone would need to do to disable the sanitizer in Pagedown.js for instance is something like -
var safeConverter = new Markdown.Converter();
// safeConverter is open to script injection
safeConverter = Markdown.getSanitizingConverter();
// safeConverter is now safe
// Override the getSanitizingConverter pseudo-code
Markdown.getSanitizingConverter = function () {
return Markdown.Converter;
};
和他们可以打开一个网站到脚本注入。是不是真的?
and they could open a site up to script injection. Is that not true?
修改
那么,为什么会图书馆这样的包,使用客户端消毒剂?当然,他们说不要渲染unsanitized HTML,但下一行表示,使用Markdown.Sanitizer ..
Then why would libraries like that package a sanitizer to use client-side? Sure they say don't render unsanitized html but the next line says use Markdown.Sanitizer..
如何角不与消毒服务打开它,或者是只是一场闹剧呢?
How is Angular not open to it with the sanitizer service or is that just a farce as well?
推荐答案
我相信这是对这种消毒剂的宗旨和性质有点误会。
I believe there is a little misunderstanding about the purpose and nature of such "sanitizers".
消毒剂(如角的 ngSanitize )的目的是不会以prevent坏的数据被发送到服务器-侧。这是相当周围的其他方式:消毒剂有没有为保护非恶意的恶意数据(即无论是在服务器端安全漏洞的结果(是的,没有设置是完美的)用户或者是从其他来源(那些你是不是在控制))获取的。
The purpose of a sanitizer (e.g. Angular's ngSanitize) is not to prevent "bad" data from being sent to the server-side. It is rather the other way around: A sanitizer is there to protect the non-malicious user from malicious data (being either a result of a security hole on the server side (yeah, no setup is perfect) or being fetched from other sources (ones that you are not in control of)).
当然,作为一个客户端的功能,消毒剂可能被绕过,但(因为消毒剂是为了保护用户(而不是服务器))绕过它只会留下旁路器不受保护(你不能做任何事情,也不是你不应该在乎 - 这是他们的选择)
Of course, being a client-side feature, a sanitizer could be bypassed, but (since the sanitizer is there to protect the user (not the server)) bypassing it would only leave the bypasser unprotected (which you can't do anything about, nor shouldn't you care - it's their choice).
此外,消毒剂(可以)有另一个(可能更重要)角色:消毒剂是一种工具,帮助开发者更好地安排自己的code的方式,它更容易测试对于某些类型的漏洞(例如XSS攻击),甚至有助于在实际code审核这样那样的安全漏洞。
Furthermore, sanitizers (can) have another (potentially more important) role: A sanitizer is a tool that helps the developer to better organize their code in a way that it is more easily testable for certain kinds of vulnerabilities (e.g. XSS attacks) and even helps in the actual code auditing for such kind of security holes.
在我看来,在 角文档 概括的概念pretty整齐的:
In my opinion, the Angular docs summarize the concept pretty neatly:
严格语境逃逸(SCE)是其中AngularJS要求导致被标记为安全使用该上下文值在某些情况下绑定的模式。结果
[...]结果
SCE次助攻,在写作方式code是:(a)默认情况下是安全的及(b)作出的审核的安全漏洞,如跨站脚本,点击劫持等< STRONG>轻松了许多
Strict Contextual Escaping (SCE) is a mode in which AngularJS requires bindings in certain contexts to result in a value that is marked as safe to use for that context.
[...]
SCE assists in writing code in way that (a) is secure by default and (b) makes auditing for security vulnerabilities such as XSS, clickjacking, etc. a lot easier.
[...]结果
在实际的应用中,人们可能会呈现用户评论,博客文章等通过绑定。 (HTML就是渲染用户控制的输入创建安全漏洞上下文的只是一个例子。)
[...]
In a more realistic example, one may be rendering user comments, blog articles, etc. via bindings. (HTML is just one example of a context where rendering user controlled input creates security vulnerabilities.)
有关HTML的情况下,可以使用库,无论是在客户端或服务器端,以结合的价值,并在文档中呈现前清理不安全的HTML。
For the case of HTML, you might use a library, either on the client side, or on the server side, to sanitize unsafe HTML before binding to the value and rendering it in the document.
你会如何确保每一个使用了这些类型的绑定地方被绑定到了您的图书馆消毒值(或您的服务器渲染返回安全吗?)你怎么能确保你没有意外< STRONG>删除消毒的值,或更名一些属性/域并忘了更新绑定到消毒值?行
How would you ensure that every place that used these types of bindings was bound to a value that was sanitized by your library (or returned as safe for rendering by your server?) How can you ensure that you didn't accidentally delete the line that sanitized the value, or renamed some properties/fields and forgot to update the binding to the sanitized value?
要在默认情况下的安全,要确保任何这样的绑定不允许,除非你能确定的东西明确表示,它的安全以使用值在这方面具有约束力。然后,您可以审核您的code (一个简单的grep会做),以确保这只是做了这些价值,你可以很容易地分辨是安全的 - 因为他们是从你的服务器接收,消毒您的图书馆等,您可以整理您的codeBase的,以帮助这个 - 也许只允许在特定目录中的文件来做到这一点。确保由code暴露了内部API不标记任意值的安全就成为一个更易于管理的任务
To be secure by default, you want to ensure that any such bindings are disallowed unless you can determine that something explicitly says it's safe to use a value for binding in that context. You can then audit your code (a simple grep would do) to ensure that this is only done for those values that you can easily tell are safe - because they were received from your server, sanitized by your library, etc. You can organize your codebase to help with this - perhaps allowing only the files in a specific directory to do this. Ensuring that the internal API exposed by that code doesn't markup arbitrary values as safe then becomes a more manageable task.
<子>
注意1:重点是我的结果。
注意2:对不起,冗长的报价,但我认为这是一个非常improtant(高达大小写)问题,一个经常被人误解。
Note 1: Emphasis is mine.
Note 2: Sorry for the lengthy quote, but I consider this to be a very improtant (as much as sensitive) matter and one that is too often misunderstood.
这篇关于安全性如何的客户端HTML清理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
