XSS javascript,漏洞利用检查 [英] XSS javascript, exploit check
问题描述
我目前正在处理一个页面,我需要用户输入几个变量,然后在整个页面中显示这些变量.
I am currently working on a page where I need the user to input several variables which when submitted are then displayed throughout the page.
问题是,它需要是 100% 安全的代码,虽然我可以使用 PDO/mysql 等,但 javascript 不是我非常熟悉的东西.
Problem is, it needs to be 100% secure code and whilst I'm ok using PDO/mysql etc javascript is not something I'm very fluent in.
目前,我有以下几点:
<script language="JavaScript">
function showInput() {
document.getElementById('var1').innerText =
document.getElementById("user_var1").value;
document.getElementById('var2').innerText =
document.getElementById("user_var2").value;
}
</script>
使用 html
<form>
your variable 1 is = <input type="text" name="message" id="user_var1"><br />
your variable 2 is = <input type="text" name="message" id="user_var2"><br />
</form>
<input type="submit" onclick="showInput();">
<p>var1 = <span id='var1'></span></p>
<p>var2 = <span id='var2'></span></p>
据我所知,使用.innerText"应该停止使用任何 html 等,我已经用
From what I can tell, using ".innerText" should stop any html etc being used and I have tested with
<script>alert(document.cookie);</script>
这导致上面只是按原样打印(不运行).
which results in the above just being printed as is (not run).
例如
your variable 1 is = <script>alert(document.cookie);</script>
您是否还建议采取其他措施来确保其安全(XSS 或其他方式)?只需要输入的字符是/和 A-Z 0-9
Is there anything else you would recommend doing to make sure it is secure (XSS or otherwise)? Only characters that should need to be entered are / and A-Z 0-9
提前致谢:)
澄清一下,唯一的代码就是上面的代码,页面没有从数据库等中提取数据(你在上面看到的实际上是完整的 php 页面,只是缺少 html head body 标签等).
Just to clarify, the only code is what is above, the page is not pulling data from a database etc (what you see above is virtually the full php page, just missing the html head body tags etc).
推荐答案
这里is没有漏洞(请在投票前阅读).
There is no vulnerability here (please read before downvote).
只是为了澄清,唯一的代码是上面的内容,页面不是从数据库等中提取数据(您在上面看到的实际上是完整的 php 页面,只是缺少 html head body 标签等).
Just to clarify, the only code is what is above, the page is not pulling data from a database etc (what you see above is virtually the full php page, just missing the html head body tags etc).
因此以下两个字段不能由当前用户以外的任何人填充:
Therefore the following two fields cannot be populated by anything other than the current user:
<input type="text" name="message" id="user_var1">
<input type="text" name="message" id="user_var2">
因为不存在填充这两个字段的代码.
because there is no code present that populates these two fields.
代码填充的两个DOM元素如下:
The two DOM elements that are populated by code are as follows:
<span id='var1'></span>
<span id='var2'></span>
执行此操作的代码是
document.getElementById('var1').innerText =
document.getElementById("user_var1").value;
document.getElementById('var2').innerText =
document.getElementById("user_var2").value;
它使用的是非标准的innerText 而不是 textContent,但是 innerText 将设置文本内容而不是 HTML 内容,防止浏览器呈现任何标签或脚本.
It is using the non-standard innerText rather than textContent, however innerText will set the text content rather than HTML content, preventing the browser from rendering any tags or script.
然而,即使它设置了 innerHTML 属性,用户所能做的就是攻击自己(就像他们在浏览器中打开开发者工具一样).
However, even if it was setting the innerHTML property instead, all the user could do is attack themselves (just the same as they would opening up developer tools within their browser).
但是,为了正确的功能行为和互联网标准,我将使用 textContent 而不是 innerText 或 innerHTML.
However, in the interests of correct functional behaviour and internet standards, I would use textContent rather than innerText or innerHTML.
注意
<script>alert(document.cookie);</script>
无论如何都行不通,它必须是
would not work anyway, it would have to be
<svg onload="alert(document.cookie)" />
或类似的.HTML5 指定不应执行通过 innerHTML 插入的
