IsValid（）是否保护XSS？ [英] Does IsValid() protect from XSS?

问题描述

使用 IsValid（）验证一个电子邮件地址或URL格式保护XSS？

Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?

推荐答案

有效的URL仍然可以包含攻击向量：

A valid URL can still contain an attack vector:

<!--- No on CF9 --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput>

<!--- Yes on CF9: hex encoded ';DROP TABLE Products' --->
<cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>

授予上述不是XSS攻击，而是可以更改为更新列， 。

Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.

电子邮件验证似乎阻止了我可以找到的攻击。

Email validation appears to prevent the attacks I could find.

作为一般化， isValid（）有助于防止XSS数据类型有限的攻击 - 整数，SSN，UUID等。然而，有一个文件清单对其唯一的数据类型本身是字符串的字段的潜在攻击。在这种情况下， isValid（）没有帮助，而是 OWASP的AntiSamy 是一个有用的工具，用于遍历DOM并删除未列入白名单的任何内容。

As a generalization, isValid() helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid() is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.

最佳的正则表达式捕获XSS（跨站脚本）攻击（Java）？提供关于XSS预防的一般主题的很多有用的信息。

Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.

最后说明一点，请使用：

And finally to belabor the point, use:

<cfqueryparam cfsqltype="..." value="...">

来保护查询。

更新

最后但并非最不重要的是， OWASP XSS作弊表：最佳的启发式集合，用于处理输入以防止XSS。

Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.

这篇关于IsValid（）是否保护XSS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！