没有< meta chartset =<<“any-encoding”>>的安全漏洞/>标签? [英] Security Vulnerabilities without <meta chartset=<<"any-encoding">> /> tag?
问题描述
我已经读过某个地方,声明字符集是好习惯。
I have read somewhere that it is good practice to declare the character set
<meta charset="utf-8">
,以防范严重的安全风险。
of your document to protect against a serious security risk.
如果有人没有在html文档中定义字符集,有什么风险?
what are the risks if someone don't define character set in html document?
推荐答案
的XSS称为 UTF-7 XSS 。
此编码 + ADw -
下呈现为<
和 + AD4 -
呈现为>
。这使攻击者可以注入
Under this encoding +ADw-
renders as <
and +AD4-
renders as >
. This makes it possible for an attacker to inject
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
,并由浏览器呈现和解释为
and have it rendered and interpreted by the browser as
<script>alert(document.location)</script>
。
旧版本的Internet Explorer自动检测字符集。因此,如果在响应头或元标记中没有指定字符集,则输出诸如 + ADw
trick的序列输出,Internet Explorer将使用UTF-7使任何这样注入的脚本执行。这会导致XSS漏洞。
.
Old versions of Internet Explorer auto detect the charset. Therefore, if no charset is specified in a response header or a meta tag then the output of sequences such as +ADw
"trick" Internet Explorer into rendering the page using UTF-7 making any such injected script execute. This gives rise to the XSS vulnerability.
这篇关于没有< meta chartset =<<“any-encoding”>>的安全漏洞/>标签?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!