IsValid（）是否保护XSS？ [英] Does IsValid() protect from XSS?

问题描述

使用 IsValid（）验证电子邮件地址或网址格式保护免受XSS攻击？

解决方案

有效的网址仍然可能包含攻击媒介：

 <！--- CF9上没有---> 
< cfoutput> #isValid（url，http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products）＃< / cfoutput> 
 
<！---是on CF9：hex encoded'; DROP TABLE Products'---> 
< cfoutput> #isValid（url，http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20% 54％41％42％4C％45％20％50％72％6F％64％75％63％74％73）< / cfoutput> 
  

授予上述不是XSS攻击，但可以更改为更新列， 。

电子邮件验证似乎阻止

作为一个概括， isValid（）有助于防止XSS当数据类型是有限的整数，SSN，UUID等时，攻击。然而，有一个文件潜在的攻击其唯一的数据类型本身是字符串的字段。在这种情况下， isValid（）没有帮助，而是 OWASP的AntiSamy 是一个非常有用的工具，用于遍历DOM并删除未列入白名单的任何内容。

最佳正规表达式来捕获XSS（跨站点脚本）攻击（在Java中）？提供了很多关于XSS预防的一般主题的有用信息。

最后，请使用：

  cfqueryparam cfsqltype =...value =...> 
  

以保护查询。

更新 b
$ b

最后，但并非最不重要的是， OWASP XSS骗子表：最好的启发式集合，用于处理输入以防止XSS。

Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?

解决方案

A valid URL can still contain an attack vector:

<!--- No on CF9 --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput>

<!--- Yes on CF9: hex encoded ';DROP TABLE Products' --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>

Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.

Email validation appears to prevent the attacks I could find.

As a generalization, isValid() helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid() is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.

Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.

And finally to belabor the point, use:

<cfqueryparam cfsqltype="..." value="...">

to protect queries.

Update

Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.

这篇关于IsValid（）是否保护XSS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！