如何在用户生成的 HTML 中防止 Javascript 注入攻击 [英] How to prevent Javascript injection attacks within user-generated HTML

问题描述

我正在保存用户提交的 HTML(在数据库中).我必须防止 JavaScript 注入攻击.我见过的最有害的是 style="expression(...)" 中的 JavaScript.

I am saving user-submitted HTML (in a database). I must prevent JavaScript injection attacks. The most pernicious I have seen is JavaScript in a style="expression(...)".

除此之外，相当多的有效用户内容将包括特殊字符和 XML 结构，因此我希望尽可能避免使用白名单方法.(列出每个允许的 HTML 元素和属性).

In addition to this, a fair amount of valid user content will include special characters and XML constructs, so I'd like to avoid a white-list approach if possible. (Listing every allowable HTML element and attribute).

JavaScript 攻击字符串示例:

Examples of JavaScript attack strings:

1.

"Hello, I have a
<script>alert("bad!")</script>
problem with the <dog>
element..."

"Hi, this <b
style="width:expression(alert('bad!'))">dog</b>
is black."

有没有办法阻止这样的 JavaScript，而其余部分完好无损?

Is there a way to prevent such JavaScript, and leave the rest intact?

到目前为止我唯一的解决方案是使用正则表达式来删除某些模式.它解决了情况 1，但不解决了情况 2.

The only solution I have so far is to use a regular expression to remove certain patterns. It solves case 1, but not case 2.

环境本质上是 Microsoft 堆栈:

The environment is essentially the Microsoft stack:

• SQL Server 2005
• C# 3.5 (ASP.NET)
• JavaScript 和 jQuery.

我希望阻塞点是 ASP.NET 层 - 任何人都可以创建错误的 HTTP 请求.

I would like the chokepoint to be the ASP.NET layer - anyone can craft a bad HTTP request.

谢谢大家的链接.假设我可以定义我的列表(内容会包含很多数学和编程结构，所以白名单会很烦人)，我还有一个问题:

Thanks for the links, everyone. Assuming that I can define my list (the content will include many mathematical and programming constructs, so a whitelist is going to be very annoying), I still have a question:

什么样的解析器可以让我删除坏"的部分?不好的部分可能是整个元素，但是那些驻留在属性中的脚本呢?我无法删除 <一个 hrefs > 随意.

What kind of parser will allow me to just remove the "bad" parts? The bad part could be an entire element, but then what about those scripts that reside in the attributes? I can't remove < a hrefs > willy-nilly.

推荐答案

您认为就是这样吗?检查一下.

无论您采用何种方法，您都肯定需要使用白名单.这是对您在网站上允许的内容几乎安全的唯一方法.

Whatever approach you take, you definitely need to use a whitelist. It's the only way to even come close to being safe about what you're allowing on your site.

编辑:

不幸的是，我不熟悉 .NET，但您可以查看 stackoverflow 与 XSS 的斗争(https://blog.stackoverflow.com/2008/06/safe-html-and-xss/) 以及用于解析发布在此站点上的 HTML 的代码:Archive.org 链接 - 显然你可能需要改变这一点，因为您的白名单更大，但这应该会让您开始.

I'm not familiar with .NET, unfortunately, but you can check out stackoverflow's own battle with XSS (https://blog.stackoverflow.com/2008/06/safe-html-and-xss/) and the code that was written to parse HTML posted on this site: Archive.org link - obviously you might need to change this because your whitelist is bigger, but that should get you started.

这篇关于如何在用户生成的 HTML 中防止 Javascript 注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！