白名单,preventing XSS在C#控制大规模杀伤性武器 [英] Whitelisting, preventing XSS with WMD control in C#
问题描述
有没有用,我在这里做了什么什么问题?这是我第一次处理这样的事情,我只是想确保我了解所有的风险等,以不同的方法。
我使用大规模杀伤性武器,以获取用户输入的,而我用文字控制显示它。
因为它是不可编辑一旦进入我要存储HTML而不是降价,
输入= Server.HTMLEn code(stringThatComesFromWMDTextArea)
然后运行类似的标签我希望用户能够使用下面的。
// UNESCAPE列入白名单的标签。
字符串输出= input.Replace(&放大器; LT; B和; GT;,< B>中)更换。(与& LT; / B&放大器; GT;,< / B>中)
.Replace(与&下; I和gt;中,&所述; I>中)更换。(与&下; / I和gt;中,&所述; / I>中);
修改这是我在做什么目前:
公共静态字符串连接codeAndWhitelist(字符串HTML)
{
字符串[] =白名单{B,I,强,IMG,UL,礼};
字符串连接codedHTML = HttpUtility.HtmlEn code(HTML);
的foreach(白名单中的字符串WL)
EN codedHTML = EN codedHTML.Replace(&放大器; LT;+ WL +&放大器; GT;,<+ WL +>中)更换(与& LT; /+ WL +与& gt;中,&所述; /+ WL +>中);
返回连接codedHTML;
}
- 请问我在做什么在这里让我免受 XSS ?
- 是否还有其他方面的考虑
应该做? - 是否有正常的一个好名单
标签白名单中?
如果你的要求确实是基本的,你可以做这样简单的字符串替换,然后是的,这是'安全'对XSS。 (但是,它仍然可以提交非形成井的内容,其中< I> 和< B> 被误嵌套或未关闭,这可能搞砸内容最终页插入。)
但是,这是很少就够了。例如目前< A HREF =...> 或< IMG SRC =.../> 是不允许的。如果你想允许这些或其他标记,在属性值,你就会有一大堆工作要做。那么你可能会与正则表达式接近它,但是,让你意外的嵌套和更换已经被替换的内容层出不穷的问题,看到正则表达式怎么也无法解析HTML,那
要解决这两个问题,通常的做法是在输入使用[X] [HT] ML分析器,然后步行DOM中删除所有,但已知良好的元素和属性,最后再还原序列化到[X] HTML。那么结果是保证良好且只包含健康的内容。
Are there any problems with what I am doing here? This is my first time to deal with something like this, and I just want to make sure I understand all the risks, etc. to different methods.
I am using WMD to get user input, and I am displaying it with a literal control. Since it is uneditable once entered I will be storing the HTML and not the Markdown,
input = Server.HTMLEncode(stringThatComesFromWMDTextArea)
And then run something like the following for tags I want users to be able to use.
// Unescape whitelisted tags.
string output = input.Replace("<b>", "<b>").Replace("</b>", "</b>")
.Replace("<i>", "<i>").Replace("</i>", "</i>");
Edit Here is what I am doing currently:
public static string EncodeAndWhitelist(string html)
{
string[] whiteList = { "b", "i", "strong", "img", "ul", "li" };
string encodedHTML = HttpUtility.HtmlEncode(html);
foreach (string wl in whiteList)
encodedHTML = encodedHTML.Replace("<" + wl + ">", "<" + wl + ">").Replace("</" + wl + ">", "</" + wl + ">");
return encodedHTML;
}
- Will what I am doing here keep me protected from XSS?
- Are there any other considerations that should be made?
- Is there a good list of normal tags to whitelist?
If your requirements really are that basic that you can do such simple string replacements then yes, this is ‘safe’ against XSS. (However, it's still possible to submit non-well-formed content where <i> and <b> are mis-nested or unclosed, which could potentially mess up the page the content ends up inserted into.)
But this is rarely enough. For example currently <a href="..."> or <img src="..." /> are not allowed. If you wanted to allow these or other markup with attribute values in, you'd have a whole lot more work to do. You might then approach it with regex, but that gives you endless problems with accidental nesting and replacement of already-replaced content, seeing as how regex can't parse HTML, and that.
To solve both problems, the usual approach is to use an [X][HT]ML parser on the input, then walk the DOM removing all but known-good elements and attributes, then finally re-serialise to [X]HTML. The result is then guaranteed well-formed and contains only safe content.
这篇关于白名单,preventing XSS在C#控制大规模杀伤性武器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
