使用白名单安全地将HTML标签放在javascript中 [英] securely strip html tags in javascript with whitelist

问题描述

我想从JavaScript中的字符串中几乎每个html标签上都可以剥离，只允许几个基本的标签

（&剥离他们的属性），以防止跨站点脚本。

I want to strip almost every html tag from a string in javascript, allowing only a few basic tags
(& strip their attributes) to prevent Cross-Site-Scripting.

很多人说，不应该使用javascript来完成，因为客户端可能会禁用javascript，导致过滤器中断。但是，我的整个项目都取决于javascript，而没有禁用JavaScript的客户端将会看到输出，另外我无法在服务器端执行。

A lot of people say, it shouldn't be done with javascript, because clients might have javascript disabled, causing the filter to break. However my whole project depends on javascript, and no client with disabled javascript will ever see the output, plus I am unable to do it server-side.

（1）在这种情况下，我可以假设可以安全地进行吗？

(1) Am I right to assume in this case it might be done securely?

bobince 建议使用DOM （而不是RegEx）来过滤潜在的不安全的输入。我当然没有XSS专家，但是由于他的例子取决于插入到DOM 之前的的过滤器做他的工作，我可以想象它可能是不安全的，因为如下：

bobince recommends to use the DOM (instead of RegEx) to filter the potentially insecure input. I am certainly no XSS expert but because his example depends on the string being inserted to the DOM before the filter does his job, I could imagine it might be insecure because of something like:

var unsecureString = '<img src=".." onload="alert(\'bad\')" />';
$('#alice').update(unsecureString);
filterNodes($('#alice'), {p:[],a:['href']}); // see link above

（2）我可以肯定，上面的坏事不会永远fire？

(2) Can I be certain, the bad event above won't ever fire?

（3）如果没有：如何避免这样的问题，但仍然使用DOM？

(3) If not: How to avoid such problems, but still use the DOM?

推荐答案

看看google caja消毒剂。

have a look at the google caja sanitizer.

https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer

这篇关于使用白名单安全地将HTML标签放在javascript中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！