如果“数据目标"是 Bootstrap 3.3.7 安全可靠的?属性未使用? [英] Is Bootstrap 3.3.7 safe and secured if "data-target" attribute is unused?
问题描述
Bootstrap 3.3 存在一个安全漏洞.7.它说此软件包的受影响版本容易受到通过 data-target 属性的跨站点脚本 (XSS) 攻击."我想知道如果不使用data-target"属性,v3.3.7 是否可以安全使用.
There is a security vulnerability regarding Bootstrap 3.3.7. It says that "Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute." I am wondering if v3.3.7 is safe to use if the "data-target" attribute is not used.
推荐答案
只有在 data-target
值依赖于由外部(直接或间接)AND 显示在攻击者以外的其他用户受到影响的页面上.
The so called 'vulnerability' only occurs if the data-target
value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.
换句话说,如果您的所有 data-target
属性都由硬编码的 html 文本组成,这不是问题.如果这个页面只被攻击者看到(自我破解......),这通常也不是问题.
In other words this is NOT an issue if all your data-target
attributes are made of hardcoded html text. It is also generally not an issue if this page is only seen by the attacker (self-hack ...).
例如,你也可以说 jQuery .html()
是一个漏洞,这是一个更明显的例子,但如果你是一个完全的 web 初学者或者只是没有注意的话,仍然容易受到 XSS 的攻击.
For example you could also say jQuery .html()
is a vulnerability, which is a more obvious case, but still vulnerable to XSS if you are a total web beginner or just did not pay attention.
因此,一般而言,请避免在第三方中注入未转义的用户数据:弹出窗口、工具提示……或任何在幕后直接操作 DOM 的内容.
So in general, avoid injecting unescaped user data in third-party: popups, tool-tips, ... or anything where DOM is directly manipulated behind the scenes.
我个人不认为这是一个大漏洞,但如果像 bootstrap 这样的著名框架处理这种情况或明确将该方法命名为不安全以警告开发人员,会更好.
I personally do not consider this a big vulnerability, but it is nicer if a famous framework like bootstrap handles this case or explicitly names the method as unsafe to warn developers.
Chrome 审核考虑 bootstrap 3.3.xa 漏洞(通过 synk):
Chrome audit considers bootstrap 3.3.x a vulnerability (via synk):
包括具有已知安全漏洞的前端 JavaScript 库
Includes front-end JavaScript libraries with known security vulnerabilities
- 是如果数据目标"是 Bootstrap 3.3.7 安全可靠的属性未使用?
- https://news.ycombinator.com/item?id=14989841
这篇关于如果“数据目标"是 Bootstrap 3.3.7 安全可靠的?属性未使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!