用户提交的HTML存在安全风险 [英] Security risks from user-submitted HTML
问题描述
我使用的是contentEditable div,它允许用户编辑主体HTML,然后使用AJAX请求直接发布到网站。当然,我必须对它进行一些安全检查。最明显的是通过在提交的HTML中搜索< script
来确保没有提交脚本标记。这是在第一次运行 htmlentities
之后完成的,将数据传输到另一台服务器,然后运行 html_entity_decode
。此外,每个打开的标签都必须关闭,并且每个关闭的标签都必须在用户提交的HTML内打开。
I am using a contentEditable div that allows users to edit the body HTML and then post it directly to site using an AJAX request. Naturally, I have to do some security checks on it. The most obvious was ensuring that no script tags were submitted by searching for <script
in the submitted HTML. This is done after first running htmlentities
, transferring the data to another server, and then running html_entity_decode
. In addition, every tag that is opened must be closed and every tag that is closed must be opened within the user submitted HTML.
忽略不相关的安全风险(例如SQL注入)和非安全风险(例如用户发布不适当的图片),还有什么是其他安全风险(如果有的话),特别是允许用户直接向页面添加HTML的风险?
Disregarding unrelated security risks (such as SQL injection) and non-security risks (such as a user posting an inappropriate image), what are other security risks, if any, specifically linked to allowing a user to add HTML directly to a page?
更具体地说,
To be more specific,
- 有没有方法可以在页面中放入脚本使用脚本标记,或
- 有没有方法通过编辑HTML而不使用脚本来危害站点或其用户的安全?
推荐答案
使用元素上的事件属性可以调用任意数量的方法,如:
Javascript can be called any number of ways by using the event attributes on elements, like:
<body onload="..">
发布了类似的问题建议使用我的用户无法插入html代码 - 无风险 - 非 - 技术 - r .org /rel =nofollow noreferrer> HTMLPurifier ,而不是试图自己处理。
A similar question posted here recommends using HTMLPurifier instead of trying to handle this on your own.
这篇关于用户提交的HTML存在安全风险的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!