如何prevent XSS(跨站脚本),同时允许HTML输入 [英] How to prevent XSS (Cross Site Scripting) whilst allowing HTML input
问题描述
我有一个网站,它允许通过 TinyMCE的富文本编辑器的控制输入HTML。它的目的是让用户使用HTML格式文本。
I have a website that allows to enter HTML through a TinyMCE rich editor control. It's purpose is to allow users to format text using HTML.
此用户输入则内容被输出到系统的其他用户。
This user entered content is then outputted to other users of the system.
然而,这意味着有人可以插入JavaScript到HTML以执行对系统的其他用户XSS攻击。
However this means someone could insert JavaScript into the HTML in order to perform a XSS attack on other users of the system.
什么是从一个HTML字符串过滤掉的JavaScript code的最佳方式?
如果我进行了常规防爆pression检查< SCRIPT> 标签这是一个良好的开端,但一个邪恶的实干家仍然可以附加JavaScript来的标签的的onclick 属性。
If I perform a Regular Expression check for <SCRIPT> tags it's a good start, but an evil doer could still attach JavaScript to the onclick attribute of a tag.
有一个很简单的方法来编写脚本所有的JavaScript code,而留下的HTML的其余部分不变?
Is there a fool-proof way to script out all JavaScript code, whilst leaving the rest of the HTML untouched?
有关我的具体实施,我使用C#
For my particular implementation, I'm using C#
推荐答案
微软已经制作了自己的防XSS库,微软反跨站点脚本库V4.0
Microsoft have produced their own anti-XSS library, Microsoft Anti-Cross Site Scripting Library V4.0:
微软反跨站点脚本库V4.0(AntiXSS V4.0)是一个编码库,旨在帮助开发人员保护他们的基于Web的ASP.NET应用程序的XSS攻击。它不同之处在于它使用了白名单技术最编码库 - 有时被称为夹杂物的原理 - 提供防止跨站脚本攻击。这种方法的工作原理是首先定义一个有效的或允许的字符集,并设有$ C这套之外$ CS任何东西(无效字符或潜在攻击)。白列表的方法比其它的编码方案提供了几个优点。在这个版本的微软反跨站点脚本库的新功能包括: - HTML和XML encoding-性能improvements-支持中等信任ASP.NET应用程序 - HTML命名实体支持 - 无效的Uni code可定制的安全列表对于HTML检测 - 改进替代字符支持和XML encoding- LDAP编码Improvements-应用程序/ x-WWW的形式urlen codeD编码的支持
The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support
它使用白名单的方式来剔除潜在的XSS内容。
It uses a whitelist approach to strip out potential XSS content.
下面是相关的一些相关的链接 AntiXSS
Here are some relevant links related to AntiXSS:
- Anti-Cross Site Scripting Library
- Microsoft Anti-Cross Site Scripting Library V4.2 (AntiXSS V4.2)
- Microsoft Web Protection Library
这篇关于如何prevent XSS(跨站脚本),同时允许HTML输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
