IsValid()是否保护XSS? [英] Does IsValid() protect from XSS?
问题描述
使用 IsValid()验证电子邮件地址或网址格式保护免受XSS攻击?
有效的网址仍然可能包含攻击媒介:
<!--- CF9上没有--->
< cfoutput> #isValid(url,http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products)#< / cfoutput>
<!---是on CF9:hex encoded'; DROP TABLE Products'--->
< cfoutput> #isValid(url,http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20% 54%41%42%4C%45%20%50%72%6F%64%75%63%74%73)< / cfoutput>
授予上述不是XSS攻击,但可以更改为更新列, 。
作为一个概括, isValid()
有助于防止XSS当数据类型是有限的整数,SSN,UUID等时,攻击。然而,有一个文件潜在的攻击其唯一的数据类型本身是字符串的字段。在这种情况下, isValid()
没有帮助,而是 OWASP的AntiSamy 是一个非常有用的工具,用于遍历DOM并删除未列入白名单的任何内容。
最佳正规表达式来捕获XSS(跨站点脚本)攻击(在Java中)?提供了很多关于XSS预防的一般主题的有用信息。
最后,请使用:
cfqueryparam cfsqltype =...value =...>
更新 b
$ b
最后,但并非最不重要的是, OWASP XSS骗子表:最好的启发式集合,用于处理输入以防止XSS。
Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?
A valid URL can still contain an attack vector:
<!--- No on CF9 --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput>
<!--- Yes on CF9: hex encoded ';DROP TABLE Products' --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>
Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.
Email validation appears to prevent the attacks I could find.
As a generalization, isValid()
helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid()
is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.
Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.
And finally to belabor the point, use:
<cfqueryparam cfsqltype="..." value="...">
Update
Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.
这篇关于IsValid()是否保护XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!