如何在服务器端防止href属性的xss? [英] how to prevent xss of href attribute at the server side?

问题描述

在我的网站(服务器端为c#)中，我让用户提交如下链接:

In my website ( server side is c# ) , I let users submit links like this:

<a href="$">link text</a>

无论他们输入什么，都将仅保留在"href"属性内.我想通过"href" URL阻止XSS.

Whatever they input will stay inside the "href" attribute only. i want to prevent XSS through the "href" URL.

现在，我检查c#对象URI是否为有效网址.

Right now i check if it's a valid url the c# object URI.

我的问题是:

1. 使用URI验证网址是否足以阻止url xss?
2. 如果没有，我应该如何防止这种xss?

例如，如何防止有效网址的XSS网络钓鱼攻击为:" http://xss.rocks/xss.css "

For example how can i prevent XSS phishing attack of a valid url as: "http://xss.rocks/xss.css"

推荐答案

作为URI进行验证是一个不错的开始.之后，确认 方案 是白名单选项，例如 http / https .之后，请确保在输出之前对其进行编码(请参阅OWASP链接).基本上，您可以对任何html属性编码进行完全相同的操作，除了您还需要了解恶意方案之外.

Validating as a URI is a good start. After that, verify the scheme is a white-listed option such as http/https. After that, make sure that you encode it before outputting it (see OWASP link). Basically, you do exactly what you do for any html attribute encoding, except you also need to be aware of malicious schemes.

要注意的事情: javascript:alert(1); (验证方案)， https://example.com?xss="onclick = alert(1);//(转义输出).

Things to look out for: javascript:alert(1); (validate scheme), https://example.com?xss=" onclick=alert(1);// (escape output).

请参阅:

• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• 对于问题的第二部分，一旦用户单击链接并转到新站点，它就不再是您站点上的XSS.即使它不是XSS漏洞，让用户添加任何URL仍然很危险.它们仍然可以链接到恶意网站，非法内容等.对于这些网站，您也许可以针对类似于Google提供的站点信誉API ，但是即使这样也不是防弹的.

  As for the second part of your question, once the user clicks the link and goes to the new site, it isn't XSS on your site anymore. Letting users add any URL can still be dangerous, even if it isn't an XSS vulnerability though. They can still link to malicious sites, illegal content, etc. For those, you can perhaps validate against a site reputation API like Google provides, but even that is not bulletproof.

  这篇关于如何在服务器端防止href属性的xss?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！