保护应用程序免受 XSS [英] Securing application against XSS
问题描述
我们目前正在使用 OWASP Antisamy 项目来保护我们的应用程序免受 XSS 攻击.当任何给定的表单提交到服务器时,每个输入字段都会被清理.它工作正常,但我们在公司名称、组织名称等字段上有问题.
We are currently using OWASP Antisamy project to protect our application against XSS attacks. Every input field is sanitized when any given form is submitted to server. It works fine, but we have issues with the fields like company name, organization name, etc.
例如:对于 AT&T 转义符和公司名称显示错误(以转义字符显示).
Ex: Ampersand is escaped for AT&T and the company name is displayed wrong (displayed with escaped characters).
我们手动更新数据库上的字段以解决此问题.然而,这是你可以想象的颈部疼痛.
We manually update the fields on database to fix this issue. However, this is a pain in the neck as you can imagine.
有没有办法使用 OWASP antisamy 解决这个问题,或者我们应该使用不同的库?
Is there a way to address this using OWASP antisamy or should we use a different library?
推荐答案
你应该只对输出进行编码,而不是对输入进行编码.如果用户在您的应用程序中输入 AT&T,这应该存储在数据库中的 AT&T.无需对其进行编码,但当然要确保您使用的是参数化查询,这将防止诸如 ' 之类的字符脱离 SQL 命令上下文并导致 SQL 注入.
You should only encode on output, not on input. If a user enters AT&T in your application, this should be stored at AT&T in the database. There is no need to encode it, but of course make sure that you are using parameterised queries which will prevent characters such as ' from breaking out of the SQL command context and causing SQL injection.
当您输出时,这是您唯一需要对字符进行编码的时间.例如AT&T在输出到HTML时应该编码为AT&T,所以在浏览器中显示为AT&T.
When you output, this is the only time you need to encode characters. e.g. AT&T should be encoded as AT&T when output to HTML, so it is displayed in the browser as AT&T.
似乎您的应用程序正在对输入进行编码并对输出进行编码,因此上面的字符串将被双重编码,然后在您的 HTML 中输出为 AT&T,导致问题.删除您的输入编码以解决此问题.
It seems like your application is encoding the input and also encoding the output, so strings like above will be double encoded at then output as AT&T in your HTML, causing the problem. Remove your input encoding to solve this.
您应该只在输出时编码的原因是,如果您决定要将数据输出为不同的格式,例如 JSON 或 JavaScript,则编码是不同的.如果为 JavaScript 正确编码,O'leary 将变成 O\x27leary,这将无法在编码为 O'leary 的 HTML 中正确显示代码>.
The reason you should only encode when output is that if you decide you want to output data to a different format such as JSON or JavaScript, then the encoding is different. O'leary would become O\x27leary if encoded properly for JavaScript, which would not display properly in HTML where the encoding is O'leary.
这篇关于保护应用程序免受 XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
