正在转义<和>足以阻止XSS攻击? [英] Is escaping < and > sufficient to block XSS attacks?

问题描述

我确定这个问题的答案是否"，但是我似乎找不到简单地将< 和> 转换为<& lt; 和& gt; 不会完全阻止反射的和持久的XSS.

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to < and > doesn't completely block reflected and persistent XSS.

我不是在谈论CSRF.

I'm not talking about CSRF.

如果这不会阻止XSS，您能否提供一个示例来说明如何绕过此防御?

If this doesn't block XSS, can you provide an example of how to bypass this defence?

推荐答案

在属性中使用不受信任的字符串(用"引用)时，您需要转义" 为& quot .

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

否则，您可以轻松注入javascript.例如，< a href ="{{str}}"> 中的 str 例如是"onmouseover ='something-evil'".

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".

这篇关于正在转义&lt;和&gt;足以阻止XSS攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！