使用 jquery parseHTML 删除脚本标签是否足以防止 XSS 攻击? [英] Is using jquery parseHTML to remove script tags enough to prevent XSS attacks?
问题描述
我们正在使用 WYSWIG 编辑器(Froala 编辑器)并存储由用户创建的原始 HTML.因此,转义字符串不是一种选择.我打算将 HTML 字符串存储在用引号括起来的变量或数据属性中.然后,读取该 HTML 字符串并使用 jquery 的 parseHTML 删除脚本标记,并在将 HTML 加载到编辑器之前仅保留某些属性.这种方法是否足以防止所有 XSS 攻击?
不是.几个反例:
<img src="javascript:alert(1)">(在现代浏览器中实际上不再起作用)<div style="background-image: url(javascript:alert(1))">(不再起作用)部分困难在于它还取决于用户使用的浏览器.最重要的是,您需要一个合适的消毒剂,它也可以在客户端.(它也可以在服务器上,但如果有的话,请考虑编辑器的预览"功能 - 如果预览未发送到服务器,则服务器端消毒剂没有多大用处.:)
Google Caja 是(曾经?)一个 html sanitizer 项目,它也有一个纯 javascript 组件.还有其他解决方案以及.
请注意,如果您想在 javascript 中执行此操作,则编辑器 javascript 必须支持在将其插入到 DOM 之前通过自定义清理程序运行其内容.
We are using a WYSWIG Editor(Froala Editor) and storing raw HTML that is created by the user. Thus, escaping the string is not an option. I am intending to store the HTML string in a variable or a data-attribute enclosed within quotes. Then, read that HTML string and remove script tags using jquery's parseHTML as well as keep only certain attributes before loading the HTML into the editor. Is this approach enough to prevent all XSS attacks?
解决方案It is not. A few counter-examples:
<a href="javascript:alert(1)"><div onclick="alert(1)"><img src="javascript:alert(1)">(doesn't actually work anymore in modern browsers)<div style="background-image: url(javascript:alert(1))">(doesn't work anymore)
Part of the difficulty is that it also depends on which browser the user is using. The bottomline is, you need a proper sanitizer, which can also be on the client-side. (It can also be on the server, but consider the "preview" feature of the editor if there is any - if previews are not sent to the server, a server-side sanitizer is not of much use. :) )
Google Caja is (was?) a html sanitizer project that also had a pure javascript component. There are other solutions as well.
Note that the editor javascript must support running its contents through a custom sanitizer before inserting it into the DOM if you want to do this in javascript.
这篇关于使用 jquery parseHTML 删除脚本标签是否足以防止 XSS 攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
