Codeigniter xss_clean困境 [英] Codeigniter xss_clean dilemma
问题描述
我知道这个问题一再被问过,但我还是没有找到完美的答案,所以这里再次...
I know this question has been asked over and over again, but I still haven't found the perfect answer for my liking, so here it goes again...
我一直在阅读很多很多偏见评论CI的xss_filter。基本上多数人说,这是坏的。有人可以阐述它是坏,或至少给予1最可能的情况下,它可以被利用?我看过CI 2.1中的安全类,我认为它很好,因为它不允许像document.cookie,document.write等恶意字符串。
I've been reading lots and lots polarizing comments about CI's xss_filter. Basically majority says that it's bad. Can someone elaborate how it's bad, or at least give 1 most probable scenario where it can be exploited? I've looked at the security class in CI 2.1 and I think it's pretty good as it doesn't allow malicious strings like document.cookie, document.write, etc.
如果网站基本上没有html演示,是否可以安全地使用全局xss_filter(或者如果真的影响性能,在插入数据库之前,在表单的基础上使用它)?我一直在阅读关于是否逃避输入/输出与多数的利弊说,我们应该逃避输出只。但是再次,为什么允许< a href =javascript:stealCookie()>之类的字符串点击我< / a>
以便保存在数据库中?
If the site has basically non-html presentation, is it safe to use global xss_filter (or if it's REALLY affecting performance that much, use it on per form post basis) before inserting to database ? I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only. But then again, why allow strings like <a href="javascript:stealCookie()">Click Me</a>
to be saved in the database at all?
我不喜欢的一件事是 javascript:
,这样会转换为 [removed]
。我可以扩展CI的安全核心 $ _ never_allowed_str
数组,以便不允许的字符串返回空,而不是 [removed]
。
The one thing I don't like is javascript:
and such will be converted to [removed]
. Can I extend the CI's security core $_never_allowed_str
arrays so that the never allowed strings return empty rather than [removed]
.
我读过的最合理的错误示例是,如果用户的密码为 javascript:123
将被清除为 [removed] 123
这意味着字符串像这样 document.write123
也将作为用户的密码传递。再次,这是发生的几率是什么,即使它发生,我不能想到任何真正的伤害,可以做到的网站。
The best reasonable wrongdoing example of this I've read is if a user has password of javascript:123
it will be cleaned into [removed]123
which means string like this document.write123
will also pass as the user's password. Then again, what is the odds of that to happen and even if it happens, I can't think of any real harm that can do to the site.
谢谢
推荐答案
基本上XSS是一个OUTPUT问题 - 但Codeigniter处理它作为INPUT问题。
Basically XSS is an OUTPUT problem - but Codeigniter deals with it as an INPUT problem.
有人可以阐述它是怎么糟的...
Can someone elaborate how it's bad...
问题是xss_clean改变您的INPUT - 意味着在某些情况下(如您所述的密码问题)输入不是预期的。
The problem is xss_clean alters your INPUT - meaning in some scenarios (like the password issue you have described) the input is not what is expected.
...
...or at least give 1 most probable scenario where it can be exploited?
它只能查找某些关键字,例如javascript。还有其他脚本动作xss_clean没有检测,加上它不会保护你对任何新攻击。
It only looks for certain key words, such as "javascript". There are other script actions which xss_clean does not detect, plus it wont protect you against any "new" attacks.
't like is javascript:and such will be converted to [removed]。我可以扩展CI的安全核心$ _never_allowed_str数组,以便不允许的字符串返回空而不是[已删除]
The one thing I don't like is javascript: and such will be converted to [removed]. Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed]
-
我一直在阅读关于是否在输入/输出上转义的优点和缺点,输出多数表示我们应该只在输出上转义。
I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only.
这是正确的答案 - 转义所有的输出, XSS保护,而不改变输入。
This is the correct answer - escape ALL your output, and you have true XSS protection, without altering the input.
个人而言,我对Codeigniter XSS保护的方法是我不对输入做任何XSS清理。我在_output上运行一个钩子 - 它清除所有我的view_data(这是我用来发送数据到视图的变量)。
Personally my approach to XSS protection in Codeigniter is I do not do ANY XSS cleaning on the inputs. I run a hook on the _output - which cleans all my "view_data" (which is the variable I use to send data to the views).
不希望XSS Clean通过在我的控制器中插入一个$ view_data ['clean_output'] = false运行,钩子检查:
I can toggle if I dont want the XSS Clean to run by inserting a "$view_data[‘clean_output’] = false" in my controller, which the hook checks:
if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))
{
// Apply to all in the list
$this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);
}
这给了我的整个网站自动和完整的XSS保护 - 几行代码,没有性能损失。
This gives me automatic and full XSS protection on my whole site -with just a couple of lines of code and no performance hit.
这篇关于Codeigniter xss_clean困境的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!