为什么HTML编码会阻止某些XSS攻击？ [英] Why does HTML encoding prevent certain XSS attacks?

问题描述

我一直在阅读你在从服务器到客户端（我认为？）的HTML编码方式，这将防止许多类型的XSS攻击。但是，我根本不明白。 HTML仍然会被浏览器消耗和渲染吗？

I have been reading that you HTML encode on the way back from the server to the client (I think?) and this will prevent many types of XSS attacks. However, I don't understand at all. The HTML is still going to be consumed and rendered by the browser right?

这是如何阻止任何事情的？

How is this stopping anything?

我在多个位置，网站和书籍中阅读过这些内容，但实际上并没有解释为什么 。

I've read about this in multiple locations, websites and books, and nowhere does it actually explain why this works.

推荐答案

想想看：编码 HTML是什么样子的？例如，它可能看起来像这样：

Think about it: What does encoded HTML look like? For example, it could look like this:

<a href="www.stackoverflow.com">

所以它会以文字形式呈现在客户端上（如< a href =www。 stackoverflow.com>），而不是HTML。这意味着您不会看到实际的链接，而是代码本身。

So it will be rendered on the client as the literals (as <a href="www.stackoverflow.com">), not as HTML. Meaning you won't see an actual link, but the code itself.

XSS攻击的工作原理是有人可以让客户端浏览器解析HTML，网站提供者不会不打算在那里;如果上面没有编码，这意味着提供的链接将被嵌入到网站中，尽管网站提供商不希望这样。

XSS attacks work on the basis that someone can make a client browser parse HTML that the site provider didn't intend to be on there; if the above weren't encoded, it would mean that the provided link would be embedded in the site, although the site provider didn't want that.

XSS是当然比这更精致一些，并且通常还涉及JavaScript（因此跨站点脚本），但出于演示目的，此简单示例应该足够了; JavaScript代码和简单的HTML代码一样，因为XSS是更一般的HTML注入的特例。

XSS is of course a little more elaborate than that, and usually involves JavaScript as well (hence the Cross Site Scripting), but for demonstration purposes this simple example should suffice; it's the same with JavaScript code as with simple HTML tags, since XSS is a special case of the more general HTML injection.

这篇关于为什么HTML编码会阻止某些XSS攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！