防止 XSS 攻击的新方法 [英] New Way To Prevent XSS Attacks
问题描述
我有一个与娱乐相关的网站.所以,我想到了使用一种新的方法来防止 XSS 攻击.我创建了以下单词列表
I have a website related to entertainment. So, I have thought to use a new method to prevent XSS Attack. I have created the following words list
alert(, javascript, <script>,<script,vbscript,<layer>,
<layer,scriptalert,HTTP-EQUIV,mocha:,<object>,<object,
AllowScriptAccess,text/javascript,<link>, <link,<?php, <?import,
我认为因为我的网站与娱乐有关,所以我不希望普通用户(恶意用户除外)在他的评论中使用这种词.所以,我决定从用户提交的字符串中删除所有上述逗号分隔的单词.我需要你的建议.这样做之后我就不需要使用htmlpurifier之类的工具了吗?
I have thought that because my site is related to entertainment, So I do not expect from a normal user (other than malicious user) to use such kind of words in his comment. So, I have decided to remove all the above comma separated words from the user submitted string. I need your advice. Do I no need to use htmlpurifier like tools after doing this?
注意:我没有使用 htmlspecialchars() 因为它还会转换从我的富文本编辑器 (CKEditor) 生成的标签,因此用户格式化将消失.
Note: I am not using htmlspecialchars() because it will also convert the tags generated from my Rich Text Editor (CKEditor), so user formatted will be gone.
推荐答案
使用黑名单是个坏主意,因为它很容易规避.例如,您正在检查并可能删除 .为了规避这一点,恶意用户可以输入:
Using a black list is a bad idea as it is simple to circumvent. For example, you are checking for and presumably removing <script>
. To circumvent this, a malicious user can enter:
<scri<script>pt>
您的代码将去除中间的 保留外部的
并保存到页面中.
your code will strip out the middle <script>
leaving the outer <script>
intact and saved to the page.
如果您需要输入 HTML 而您的用户不需要,则阻止他们输入 HTML.您需要有一个单独的方法,只有您可以访问,用于输入带有 HTML 的文章.
If you need to enter HTML and your users do not, then prevent them from entering HTML. You need to have a separate method, only accessible to you, for entering articles that with HTML.
这篇关于防止 XSS 攻击的新方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!