GWT SafeHTML,XSS&最佳实践 [英] GWT SafeHTML, XSS & Best Practices
问题描述
OWASP的优秀人士强调,您必须对要将不可信数据放入(body,attribute,JavaScript,CSS或URL)的HTML文档部分使用转义语法。请参阅 OWASP - XSS 。他们的API(由ESAPI团队开发)随后为每个上下文提供编码器。
ESAPI.encoder()。 encodeForHTML( 输入);
ESAPI.encoder()。encodeForHTMLAttribute(input);
ESAPI.encoder()。encodeForJavaScript(input);
ESAPI.encoder()。encodeForCSS(input);
ESAPI.encoder()。encodeForURL(input);
随后,这允许开发人员迎合基于DOM的XSS 。
所以我的问题是GWT的safehtml包是如何处理这个问题的呢?只关注HTML编码?
SafeHtmlTemplates
只有它,因为它依赖于一个GWT生成器)。它会使用标签汤解析器来解析HTML片段,该解析器会推断上下文并记录警告,或者在参数无法在此上下文中使用时抛出警告(例如,它阻止在脚本上下文中使用占位符) 。尽管( SafeUri
仍在审核中并且 SafeStyles
仍然受到严重限制),但它会在那里在适当的时候(应该在GWT 2.4我认为)。
否则:
-
SafeHtmlUtils
将转义所有<
,>
,&
,'
和结果对HTML和HTML属性上下文是安全的
-
SafeHtmlBuilder
的各种追加方法只会调用SafeHtmlUtils
隐藏 -
Uri Utils
提供了用于清理不安全URI的工具(如果您正在构建HTML,您仍然需要一个SafeHtmlUtils
字符串-vs。
-
SafeStyles
本身并没有提供任何特定的内容,但是SafeHtmlTemplates
只会在CSS上下文的开始时允许它,并且如果您尝试在CSS上下文中放置其他任何内容,将会记录警告。SafeStylesBuilder
预计可以通过类型安全方法进行扩展,以帮助构建格式正确的 CSS。 > - 我一直在
SafeUri
接口,类似于SafeStyles
,但是在URL上下文中。在适当的时候,SafeHtmlTemplates
将只允许一个SafeUri
或一个字符串
作为URL属性的完整值,将字符串通过
UriUtils
传递给确保它是安全的。
简单地说,我认为你的问题的答案是:是的,GWT的safehtml包适合这个;但您可能必须始终使用最新版本的GWT(至少在未来一年)才是安全的。
The good people of OWASP emphasize that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into (body, attribute, JavaScript, CSS, or URL). See OWASP - XSS. Their API (developed by the ESAPI team) subsequently caters for this having encoders for each context:
ESAPI.encoder().encodeForHTML("input");
ESAPI.encoder().encodeForHTMLAttribute("input");
ESAPI.encoder().encodeForJavaScript("input");
ESAPI.encoder().encodeForCSS("input");
ESAPI.encoder().encodeForURL("input");
Subsequently this allows the developer to cater for DOM-based XSS .
So my question is how does GWT's safehtml package cater for this or does it merely focus on HTML encoding?
SafeHtmlTemplates
will do it (client-side only though, as it relies on a GWT generator). It'll parse the HTML fragment using a "tag soup" parser, that will infer the context and either log a warning or throw if the argument cannot be used in this context (for instance, it prevents all use of placeholders in script context). This is still in flux though (SafeUri
is still in review and SafeStyles
is still severely limited) but it'll be there in due time (should be in GWT 2.4 I think).
Otherwise:
SafeHtmlUtils
's will escape all of<
,>
,&
,'
and"
so the result is safe for "HTML" and "HTML attribute" contextsSafeHtmlBuilder
's various append methods will just callSafeHtmlUtils
under the hoodUriUtils
provides tools to scrub unsafe URIs (you'll still need aSafeHtmlUtils
pass or equivalent afterwards if you're building an HTML string –vs. using the value directly for an image's source or anchor's href–).SafeStyles
doesn't provide anything specific in itself, butSafeHtmlTemplates
will only allow it at the beginning of a CSS context, and will log a warning if you try to put anything else in a CSS context.SafeStylesBuilder
is expected to be extended with type-safe methods, to help build well-formed CSS.- I've been working on a
SafeUri
interface, similar toSafeStyles
but in a URL context. In due time,SafeHtmlTemplates
will only allow aSafeUri
or aString
as the full value of a URL attribute, passing theString
throughUriUtils
to make sure it's safe.
In brief, I think the answer to your question is: yes, GWT's safehtml package cater for this; but you'll probably have to always use the latest version of GWT (at least for the coming year) to be safe.
这篇关于GWT SafeHTML,XSS&最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!