防止 XSS 的可靠方法? [英] The sure way to protect against XSS?

问题描述

我已经浏览了这些问题，但我还没有看到有人问过这个问题.

I've looked through the questions and I haven't seen anyone ask this yet.

在某些用户提交的内容中删除任何类型的 XSS 尝试的确定方法是什么?我知道 < 和 > 应该分别转换为 < 和 >但我听说编码差异也可以解决这个问题.

What is the for sure method to remove any sort of XSS attempts in some user submitted content? I know that < and > should be converted to < and > respectively but I've heard mention that encoding differences can get around this too.

推荐答案

XSS 没有绝对的安全性，因为人们每天都会发现新的攻击媒介.有时 XSS 甚至是一个你无法解决的浏览器错误(一些解决方法除外).

There is no absolute security concering XSS since people find new attack vectors every day. Sometimes XSS is even a browser bug you cant do anything about (excep some workarounds).

要了解复杂性，请查看此(不完整的)xss 攻击备忘单.

To get the idea of the complexity look at this (incomplete) xss attack cheat sheet.

http://ha.ckers.org/xss.html

猜猜您应该让自己成为 XSS 专家或聘请一位专家来实现您的目标.

Guess you should make yourself a XSS expert or hire one to reach your goal.

您可以从检查上面给定链接中的攻击向量开始，尝试了解它为什么可以工作并确保您阻止它.

You can start by inspecting the attack vectors from the given link above, try to understand why it can work and make sure you prevent it.

另一个防止 XSS 的好方法是确保你只接受你期望的东西，而不是阻止你知道不好的东西.(即白名单而不是黑名单)

Another great way of preventing XSS is to make sure you accept only stuff you expect instead of blocking stuff you know is bad. (i.e. whitelisting instead of blacklisting)

这篇关于防止 XSS 的可靠方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！