没有< meta chartset =<<“any-encoding”>>的安全漏洞/>标签？ [英] Security Vulnerabilities without <meta chartset=<<"any-encoding">> /> tag?

问题描述

我已经读过某个地方，声明字符集是好习惯。

I have read somewhere that it is good practice to declare the character set

 <meta charset="utf-8">

，以防范严重的安全风险。

of your document to protect against a serious security risk.

如果有人没有在html文档中定义字符集，有什么风险？

what are the risks if someone don't define character set in html document?

推荐答案

的XSS称为 UTF-7 XSS 。

此编码 + ADw - 下呈现为< 和 + AD4 - 呈现为> 。这使攻击者可以注入

Under this encoding +ADw- renders as < and +AD4- renders as >. This makes it possible for an attacker to inject

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

，并由浏览器呈现和解释为

and have it rendered and interpreted by the browser as

<script>alert(document.location)</script>

。
旧版本的Internet Explorer自动检测字符集。因此，如果在响应头或元标记中没有指定字符集，则输出诸如 + ADw trick的序列输出，Internet Explorer将使用UTF-7使任何这样注入的脚本执行。这会导致XSS漏洞。

. Old versions of Internet Explorer auto detect the charset. Therefore, if no charset is specified in a response header or a meta tag then the output of sequences such as +ADw "trick" Internet Explorer into rendering the page using UTF-7 making any such injected script execute. This gives rise to the XSS vulnerability.

这篇关于没有< meta chartset =<<“any-encoding”>>的安全漏洞/>标签？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！