防止XSS入侵(嵌入)用户生成的json的最佳方法? [英] Best way to prevent XSS hacking with (embedded)user generated json?
问题描述
请参见: http://jsfiddle.net/agv9ya39/
var json = { name: "</script><script>alert(123);</script>" };
请注意,我要做要在页面中嵌入json(数据与页面紧密相关,无法缓存,并且我不想执行额外的请求)>
一种解决方案是在输出前对整个json字符串执行String.Replace("</script>
).但这感觉很骇人,而且我可能想念其他容易受到XSS攻击的情况.
当然,我也可以确保它永远不会在数据库中以这种方式结束,但是我宁可对任何情况下的滑脱提供额外的保护.
我正在使用C#和Json.Net.
您可以将<!--
和</script>
替换为<\!--
和<\/script>
,以覆盖JSON的所有<script>
分支.不过,请考虑将JSON放在data-*
属性中,并使用JSON.parse
读取它.
<div id="some-relevant-element"
data-json="{"name":"</script><script>alert(123);</script>"}">
…
</div>
<script>
var someRelevantElement = document.getElementById('some-relevant-element');
var json = JSON.parse(someRelevantElement.getAttribute('data-json'));
</script>
See i.e.: http://jsfiddle.net/agv9ya39/
var json = { name: "</script><script>alert(123);</script>" };
Note that I do want to embed the json in the page (data is closely related to the page, can't be cached and I don't want to do an extra request)
One solution would be doing a String.Replace("</script>
) on the whole json string before outputting. But it feels hacky, and I'm probably missing other cases vulnerable for XSS.
Of course I can also make sure it nevers ends up like this in the database, but I rather have an extra protection for if something slips in anyway.
I am using C# and Json.Net.
You can replace <!--
and </script>
with <\!--
and <\/script>
to cover all <script>
break-outs for JSON. Consider putting the JSON in a data-*
attribute instead, though, and reading it with JSON.parse
.
<div id="some-relevant-element"
data-json="{"name":"</script><script>alert(123);</script>"}">
…
</div>
<script>
var someRelevantElement = document.getElementById('some-relevant-element');
var json = JSON.parse(someRelevantElement.getAttribute('data-json'));
</script>
这篇关于防止XSS入侵(嵌入)用户生成的json的最佳方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!