GWT SafeHTML，XSS&最佳实践 [英] GWT SafeHTML, XSS & Best Practices

问题描述

OWASP的优秀人士强调，您必须对要将不可信数据放入（body，attribute，JavaScript，CSS或URL）的HTML文档部分使用转义语法。请参阅 OWASP - XSS 。他们的API（由ESAPI团队开发）随后为每个上下文提供编码器。


ESAPI.encoder（）。 encodeForHTML（ 输入）;
ESAPI.encoder（）。encodeForHTMLAttribute（input）;
ESAPI.encoder（）。encodeForJavaScript（input）;
ESAPI.encoder（）。encodeForCSS（input）;
ESAPI.encoder（）。encodeForURL（input）;


随后，这允许开发人员迎合基于DOM的XSS 。

所以我的问题是GWT的safehtml包是如何处理这个问题的呢？只关注HTML编码？

解决方案

SafeHtmlTemplates 只有它，因为它依赖于一个GWT生成器）。它会使用标签汤解析器来解析HTML片段，该解析器会推断上下文并记录警告，或者在参数无法在此上下文中使用时抛出警告（例如，它阻止在脚本上下文中使用占位符） 。尽管（ SafeUri 仍在审核中并且 SafeStyles 仍然受到严重限制），但它会在那里在适当的时候（应该在GWT 2.4我认为）。

否则：

• SafeHtmlUtils 将转义所有< ，> ，& ，'和结果对HTML和HTML属性上下文是安全的


• SafeHtmlBuilder 的各种追加方法只会调用 SafeHtmlUtils 隐藏


• Uri Utils 提供了用于清理不安全URI的工具（如果您正在构建HTML，您仍然需要一个 SafeHtmlUtils 字符串-vs。
  
• SafeStyles 本身并没有提供任何特定的内容，但是 SafeHtmlTemplates 只会在CSS上下文的开始时允许它，并且如果您尝试在CSS上下文中放置其他任何内容，将会记录警告。 SafeStylesBuilder 预计可以通过类型安全方法进行扩展，以帮助构建格式正确的 CSS。
>

• 我一直在 SafeUri 接口，类似于 SafeStyles ，但是在URL上下文中。在适当的时候， SafeHtmlTemplates 将只允许一个 SafeUri 或一个字符串作为URL属性的完整值，将字符串通过 UriUtils 传递给确保它是安全的。



简单地说，我认为你的问题的答案是：是的，GWT的safehtml包适合这个;但您可能必须始终使用最新版本的GWT（至少在未来一年）才是安全的。

The good people of OWASP emphasize that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into (body, attribute, JavaScript, CSS, or URL). See OWASP - XSS. Their API (developed by the ESAPI team) subsequently caters for this having encoders for each context:

ESAPI.encoder().encodeForHTML("input"); ESAPI.encoder().encodeForHTMLAttribute("input"); ESAPI.encoder().encodeForJavaScript("input"); ESAPI.encoder().encodeForCSS("input"); ESAPI.encoder().encodeForURL("input");

Subsequently this allows the developer to cater for DOM-based XSS .

So my question is how does GWT's safehtml package cater for this or does it merely focus on HTML encoding?

解决方案

SafeHtmlTemplates will do it (client-side only though, as it relies on a GWT generator). It'll parse the HTML fragment using a "tag soup" parser, that will infer the context and either log a warning or throw if the argument cannot be used in this context (for instance, it prevents all use of placeholders in script context). This is still in flux though (SafeUri is still in review and SafeStyles is still severely limited) but it'll be there in due time (should be in GWT 2.4 I think).

Otherwise:

• SafeHtmlUtils's will escape all of <, >, &, ' and " so the result is safe for "HTML" and "HTML attribute" contexts
• SafeHtmlBuilder's various append methods will just call SafeHtmlUtils under the hood
• UriUtils provides tools to scrub unsafe URIs (you'll still need a SafeHtmlUtils pass or equivalent afterwards if you're building an HTML string –vs. using the value directly for an image's source or anchor's href–).
• SafeStyles doesn't provide anything specific in itself, but SafeHtmlTemplates will only allow it at the beginning of a CSS context, and will log a warning if you try to put anything else in a CSS context. SafeStylesBuilder is expected to be extended with type-safe methods, to help build well-formed CSS.
• I've been working on a SafeUri interface, similar to SafeStyles but in a URL context. In due time, SafeHtmlTemplates will only allow a SafeUri or a String as the full value of a URL attribute, passing the String through UriUtils to make sure it's safe.

In brief, I think the answer to your question is: yes, GWT's safehtml package cater for this; but you'll probably have to always use the latest version of GWT (at least for the coming year) to be safe.

这篇关于GWT SafeHTML，XSS&最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！