'消毒' 用户提交的 Javascript - 所以它仍然有效! [英] 'Sanitising' user-submitted Javascript - so it still works!
问题描述
我计划让我的网站有一个方面,用户可以在其中提交 HTML、CSS 和 JS,然后将其实时"生成为完整的 HTML 工作页面.其他用户将能够看到这一点.这些页面需要使用 Javascript.
I plan on having an aspect of my site where the users can submit HTML, CSS, and JS, which is then generated 'live' into full working pages of HTML. Other users will be able to see this. These pages need to have working Javascript on them.
我知道这本身就是一个相当大的安全漏洞,但此功能在网站上非常重要.我有这些想法:
I understand that's a pretty major security flaw in itself, but it's very important this feature is on the site. I had these ideas:
- 任何外部 Javascript 文件都不能链接到
- 可以包含 jQuery 等,但只能来自受信任的 CDN(例如 Google)
- 某些 Javascript 函数将被禁用和删除(例如
eval()) - 用户在获得一定数量的声誉"之前不能提交现场演示代码
- 用户提交的现场演示代码必须经过管理员授权才能上线
- 不得使用压缩代码
和被动安全措施:
- 免责声明,因此我们不承担任何责任!;)
- 报告"按钮,以防用户发现可疑内容
那么问题来了:您如何看待这个安全计划?这些措施结合起来是否足以阻止攻击者?用户将在三个单独的输入中提交他们的代码 - CSS、HTML 和 JS - 所以我将能够相应地过滤和清理,然后重新构建它实时"供其他人预览.
So here's the question: What do you think of this, as a security plan? Will these measures combined be enough to stop attackers? Users will be submitting their code in three seperate inputs - CSS, HTML, and JS - so I will be able to filter and sanitise accordingly, then restructure it 'live' for others to preview.
谢谢!
杰克
推荐答案
听起来像是一个计划,尽管我认为它的执行会很困难.
Sounds like a plan, although I imagine its execution is going to be difficult.
JavaScript 是一种非常灵活的语言,可能无法自动过滤掉所有类似
eval()的结构.
还有很多方法可以从难以分辨的外部域中获取脚本文件.
There are also many ways to fetch script files from external domains that are going to be hard to tell.
可能有大量代码需要人工审核.
There may be large amounts of code that need manual reviewing.
专注于该想法的声誉方面(仅接受来自受信任用户的可执行代码),并在与您登录的域分开的无 cookie 的沙盒"域上运行所有内容,这无疑是一个好主意.
Focusing on the reputation aspect of the idea (accepting executable code only from trusted users), and running everything on a cookieless "sandbox" domain separate from the domain you log in to, is surely a good idea.
总会存在风险,但我不认为这种风险比互联网上任何其他提供 JavaScript 的网站的风险更大.
There's always going to be a risk remaining but I don't see how that risk is any bigger than on any other web site on the internet that provides JavaScript.
这篇关于'消毒' 用户提交的 Javascript - 所以它仍然有效!的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
