数据表服务器端处理绘图参数 [英] Datatables server side processing draw parameter
问题描述
在datatable绘制参数文档中表示
In the datatable draw parameter documentation said
,您将此参数转换为整数,而不是简单地将其在draw参数中发送的内容回显给客户端,以防止跨站点脚本(XSS)攻击
is strongly recommended for security reasons that you cast this parameter to an integer, rather than simply echoing back to the client what it sent in the draw parameter, in order to prevent Cross Site Scripting (XSS) attacks
如何将参数强制转换为int有助于防止跨站点脚本。?
How can cast a parameter to int can help to prevent Cross Site Scripting.?
推荐答案
您不应对此进行任何操作:-)。在客户端,它由DataTables自动处理。在服务器端,您所做的所有操作都将转换为int,然后将其发送回。此示例显示了服务器端处理的基本初始化:
You aren't supposed to do anything with it :-). On the client-side it is dealt with automatically by DataTables. On the server-side all you do is cast as int, and send it back. This example shows basic initialisation of server-side processing:
http://datatables.net/examples/data_sources/server_side.html
和针对其他攻击的数据表指示了两种防止攻击的方法。
and for other attack DataTables indicates two ways to prevent an attack.
预防
有两种方法可以阻止这种攻击在您的应用程序中成功:
There are two options to stop this type of attack from being successful in your application:
- 禁止提交任何有害数据
- 使用编码所有不受信任的输出
对于第一个选项,服务器端脚本将主动阻止所有包含有害数据的数据写入(即输入) 。您可以选择简单地禁止包含任何HTML的所有数据,或使用HTML解析器来允许安全标签。如果采取这种方法,强烈建议您使用已知的和经过验证的安全性库-请勿自己编写!
For the first option your server-side script would actively block all data writes (i.e. input) that contain harmful data. You could elect to simply disallow all data that contains any HTML, or use an HTML parser to allow "safe" tags. It is strongly recommended that you use a known and proven security library if you take this approach - do not write your own!
使用渲染功能的第二个选项可以保护在显示数据(即输出)时免受攻击。 DataTables具有两个内置的呈现功能,可用于防止XSS攻击。 $。fn.dataTable.render.text 和 $。fn.dataTable.render.number 。
The second option to use a rendering function will protect against attacks when displaying the data (i.e. output). DataTables has two built in rendering functions that can be used to prevent against XSS attacks; $.fn.dataTable.render.text and $.fn.dataTable.render.number.
更多信息: https://www.datatables.net/manual / security
这篇关于数据表服务器端处理绘图参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
