XSS 基本理解 [英] XSS Basic Understanding
问题描述
我正在使用 Symfony2/Twig/Doctrine.
I'm using Symfony2 / Twig / Doctrine.
我正在关注我网站的安全性,特别是防止 XSS 攻击,但我看不出我还能做些什么.
I'm looking at security on my site and in particular preventing XSS attacks, but I can't see what more I can do.
持久
我使用 Doctrine 并始终确保用户输入安全,拒绝 HTML、网址和电子邮件地址等(如果适用,例如评论框).我也使用 Twig(我相信它可以转义输出).
I use Doctrine and always ensure I make user input safe, refusing HTML, web addresses and email addresses etc. (if applicable, e.g. a comment box). I also use Twig (which I believe escapes output).
反光
我的理解是,任何人都可以向某人发送电子邮件,其中包含指向任何也注入 JavaScript 的网站的链接.那JS当然可以做任何事情.JS 可以将登录表单提交到任何网址,而您无能为力(除了希望愚蠢的人不要点击来自随机人的链接到我网站的登录页面).
My understanding is that anyone could send an email to someone with a link to any website that also injects JavaScript. That JS can of course do anything. That JS could have a login form be submitted to any web address and there is nothing you can do (other than hope stupid people don't click links from random people to my site's login page).
所以除非你能阻止 JS 被注入,否则我还能做什么?
So unless you can prevent JS being injected, then what more can I do?
我不相信您可以阻止站点在另一台服务器上运行 JS 脚本(我的有效 JS 来自另一台服务器上的 CDN),我认为您无法阻止提交 HTML 表单到另一台服务器.
I don't believe you can prevent a site from running a JS script on another server (my valid JS comes from a CDN anyway which is on another server) and I don't think you can prevent a HTML form being submitted to another server.
我确实相信跨域保护确实可以防止注入的 JS 调用 Ajax 请求 - 但我没有对此做任何事情,我只是认为这就是现代浏览器的工作方式.
I do believe that cross domain protection does prevent the injected JS calling an Ajax request though - but I haven't done anything about this, I just think that is how modern browsers work.
我手里还有别的东西吗?只要我做了其他一切可能的事情,这对我来说就足够了.
Is anything else in my hands? As long as I have done eveything else possible that's enough for me.
我想我想知道为什么当有些人以提供 XSS 保护建议为生时,我对此无能为力.也许是因为我使用 Symfony2/Twig/Doctrine?
I suppose I'm wondering why there isn't much I can do about this when some people make a living out of advising on XSS protection. Maybe it's because I use Symfony2 / Twig / Doctrine?
只是寻求帮助来澄清我的理解.
Just looking for help to clarify my understanding.
推荐答案
内容安全策略通过禁止任何内联 javascript 和验证内容源来解决注入 javascript 的问题.
Content Security Policy solves the problem of injected javascript by banning any inline javascript and validating content sources.
信息:https://developer.mozilla.org/en-US/docs/Security/CSP/Using_Content_Security_Policy
浏览器支持:http://caniuse.com/contentsecuritypolicy
这篇关于XSS 基本理解的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
