逃逸足以防止 XSS 攻击 [英] Escaping < Good Enough to Prevent XSS Attacks

问题描述

我正在与我的一位同事就如何通过特定字符的编码来防止 XSS 攻击进行辩论.用 < 转义 < 字符会成功吗?

I'm having a debate with one of my colleagues over how to prevent an XSS attack through the encoding of specific characters. Will escaping the < character with < do the trick?

当我查看由OWASP发布的攻击向量备忘单时，似乎所有攻击使用 < 字符作为执行的基础.

When I review the attack vector cheat sheet published by OWASP, it seems that all attacks use the < character as the basis of execution.

如果这不起作用，什么攻击能打败它?

If this does not work, what attack would beat it?

推荐答案

不，对于 HTML 正文，您还需要对 & 字符进行编码，以防止攻击者可能逃脱转义.

No, for the HTML body you will also need to encode the & character to prevent an attacker from potentially escaping the escape.

查看XSS 实验最小编码规则:-

HTML 正文(最高 HTML 4.01):

• HTML 实体编码 <&

在 metatag 中指定字符集以避免 UTF7 XSS

specify charset in metatag to avoid UTF7 XSS

XHTML 正文:

• HTML 实体编码 <&>

限制输入字符集http://www.w3.org/TR/2008/REC-xml-20081126/#charsets

请注意，如果要在属性值中输入内容，则需要对所有具有特殊含义的字符进行正确编码.XSS(跨站点脚本)预防备忘单提到编码以下字符:-

Note that if you want to enter stuff inside of an attribute value, then you need to properly encode all characters with special meaning. The XSS (Cross Site Scripting) Prevention Cheat Sheet mentions to encode the following characters:-

&、<、>、"、', /

您还必须引用属性值才能使转义有效.

You must also quote the attribute value for the escaping to be effective.

这篇关于逃逸足以防止 XSS 攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！