在Play框架中正确转义的指南 [英] Guide to proper escaping in Play framework

查看:125
本文介绍了在Play框架中正确转义的指南的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述



这是一个很好的页面,其中列出了所需的功能:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet



所以我试图将其与Play模板功能相关联,并充分了解Play的功能和功能。





另一个困惑是支持 index.json (即使用模板构建JSON而不是HTML)。 $ {} 神奇地切换到JSON文档中的JavaScript转义,或者仍然转义为HTML,因此JSON模板中的所有内容都必须具有明确的 escapeJavaScript()



http://www.playframework.org/documentation/1.2/javaextensions ,但对于任何可以想到的情况来说似乎都不正确。 (?)



有一个关于如何在Play中完成所有转义的风格的全面指南是件好事。它看起来像我的答案是滚动自己的在几种情况下,但也许我错过了包括的内容。

解决方案

我一直在寻找这个决定,根据你已经拥有的这个写的自己的答案,这个 OWASP作弊表和我自己的一些实验



HTML转义:




  • $ {}或escape()函数



属性转义:(常用属性)




  • 只要用双引号()并使用$ {}将属性打包,就可以进行处理。

  • 对于复杂的属性(href / src / etc)见下面的JavaScript

  • 示例不安全的代码


    • < a id = $ {data。 value} href =...> ...< / a>

    • < a id ='$ {data.value}'href =...> ...< / a>


  • 这将导致data.value:


    • %href = javascript:alert('XSS')

    • %'href = javascript:alert(window.location)




JavaScript转义(和复杂属性)





CSS转义:




  • 不知道我不需要这个。


    • 我想象你需要创建自己的某种方式。希望有一些东西可以为您操纵字符串。




URL转义:




I'm trying to map out how the Play framework supports escaping.

This is a nice page spelling out the needed functionality: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

So I'm trying to relate that to Play template features and fully understand what Play does and doesn't do.

Another point of confusion is the support for index.json (i.e. using templates to build JSON instead of HTML). Does ${} magically switch to JavaScript escaping in a JSON document, or does it still escape HTML, so everything in a JSON template has to have an explicit escapeJavaScript()?

There's also an addSlashes() on http://www.playframework.org/documentation/1.2/javaextensions , but it doesn't seem quite right for any of the situations I can think of. (?)

It would be great to have a thorough guide on how to do all the flavors of escaping in Play. It looks to me like the answer is "roll your own" in several cases but maybe I'm missing what's included.

解决方案

I've been looking into this so decided to write up my own answer based on what you already had, this OWASP cheat sheet and some experimentation of my own

HTML escaping:

  • ${} or the escape() function

Attribute escaping: (common attributes)

  • This is handled in play so long as you wrap your attributes in double quotes (") and use ${}.
  • For complex attributes (href/src/etc.) see JavaScript below
  • Example unsafe code
    • <a id=${data.value} href="...">...</a>
    • <a id='${data.value}' href="...">...</a>
  • This would break with this for data.value:
    • % href=javascript:alert('XSS')
    • %' href=javascript:alert(window.location)

JavaScript escaping: (and complex attributes)

CSS escaping:

  • Not sure as I've no need for this.
    • I'd imagine you'd need to create your own somehow. Hopefully there is something out there to manipulate the strings for you.

URL escaping:

这篇关于在Play框架中正确转义的指南的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆