div contenteditable,XSS [英] div contenteditable, XSS
问题描述
我目前有一个简单的< div contenteditable =true> 工作,但是,这是我的问题。
目前,用户可以通过在div中插入< script> 来创建持久XSS,绝对不想要。
然而,我目前的想法是解决这个问题:
你们建议的是什么? 解决方案
您必须记住,为了防止xss,请尽快在服务器端进行。如果您的富文本编辑器(例如YUI或tinyMCE)具有一些javascript以防止脚本标记被输入,这不会阻止我检查您的http发布请求,查看您使用的变量名称,然后使用firefox海报将我喜欢的任何字符串发送到您的服务器以绕过所有客户端验证。如果你没有验证用户输入SERVER SIDE,那么你几乎没有任何工作可以保护XSS。
任何客户端xss保护都会影响您如何呈现用户输入;不是你如何接收它。所以,例如,如果你编码所有的输入,所以它不会呈现为html。这远离你想要完成的事情(只是锚和img标签)。请记住,您允许的越多,可能会呈现出更多可能的漏洞。
据说大部分的保护应该来自服务器端,很多XSS都会根据你写的内容(ex,asp.net或tomcat / derby / jboss)进行过滤,你可以看看。
I通过只允许一个和img标签认为你是在正确的道路上。您必须记住的一件事是您可以将javascript命令放入标记的src属性中,因此请注意验证href属性。但是允许任何事情,然后改变过滤器只允许某些事情(AKA白名单过滤)的基本思路比允许所有内容然后过滤掉我不想要的内容(AKA黑名单过滤)要好。
在下面的评论中, Brian Nickel 也表示这说明了这一点要点:$ b
$ b
除了要保留的元素和属性以外的所有内容。我
知道你在你的回答中提到它,但是由于它
太可怕了,所以重复。< img onerror =stealMoney()>
你想要做的事情是定义一个XSSFilterRequest对象(或者这些行的东西),并在过滤器中覆盖你的请求,以便任何你的getUrlParameter和getRequestParameter对象调用通过你的请求值xss过滤器。这提供了一个干净的方式来过滤所有内容,而无需重写现有的代码。
编辑:xss过滤的一个python示例:
I currently have a simple <div contenteditable="true"> working, but, here's my problem.
Currently, the user can create a persistent XSS by inserting a <script> into the div, which I definitely do not want.
However, my current ideas to fix this are:
- Allow only a and img tags
- Use a textarea (not a good idea, because then have users copy and paste images)
What do you guys suggest?
You have to keep in mind that to prevent xss, you've GOT TO DO IT ON THE SERVER SIDE. If your rich text editor (ex YUI or tinyMCE) has some javascript to prevent a script tag from being inputted, that doesn't stop me from inspecting your http post requests, looking at the variable names you're using, and then using firefox poster to send whatever string I like to your server to bypass all client side validation. If you aren't validating user input SERVER SIDE then you're doing almost nothing productive to protect from XSS.
Any client side xss protection would have to do with how you render user input; not how you receive it. So, for example, if you encoded all input so it does not render as html. This goes away from what you want to accomplish though (just anchor and img tags). Just keep in mind the more you allow to be rendered the more possible vulnerabilities you expose.
That being said the bulk of your protection should come from the server side and there are a lot of XSS filters out there depending on what you're writing with (ex, asp.net or tomcat/derby/jboss) that you can look into.
I think you're on the right path by allowing ONLY a and img tags. The one thing you have to keep in mind is that you can put javascript commands into the src attributes of a tags, so take care to validate the href attributes. But the basic idea of "allow nothing and then change the filters to only allow certain things" (AKA whitelist filtering) is better than "allow everything and then filter out what I don't want" (AKA blacklist filtering).
In the comments below, Brian Nickel also said this which illustrates the point:
Everything but the elements and attributes you want to keep. I know you mentioned it in your answer but that bears repeating since it is so scary.
<img onerror="stealMoney()">
The other thing you're going to want to do is define a XSSFilterRequest object (or something along those lines) and in a filter, override your requests so that any call to whatever your "getUrlParameter" and "getRequestParameter" objects run the request values through your xss filter. This provides a clean way to filter everything without rewriting existing code.
EDIT: A python example of xss filtering:
Python HTML sanitizer / scrubber / filter
Python library for XSS filtering?
这篇关于div contenteditable,XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
