显示HTML用户输入,安全问题 [英] Show HTML user input, security issue
问题描述
在我的网站上,用户将能够为内容输入html标签,以便文本可以是粗体,斜体或链接和图像。我打算使用真正使用HTML标记(不是BBC代码或wiki语法)的ckeditor或tinymce。
如果我允许使用HTML,当文本将被显示时,它将被解释并且它可能包含一些像JavaScript一样的黑客或XSS ....
如何避免此安全问题?
是否必须列出想要的html标签并删除所有不需要的标签和内容?
我可以使用strip标签吗?
例如它是如何在stackoverflow上完成的?
你知道一些插件php / jquery插件谁可以安全地保存和安全地解释有限的html标签?
预先感谢您的帮助
您需要同时使用服务器端HTML清理程序和内容安全策略阻止内联脚本,eval和远程托管脚本
根据您使用服务器端的语言, HtmlSanitiser或Python Bleach。使用客户端验证或朴素过滤的
不会保护您:
- 客户端验证,正如@Smamatti所建议的那样,如果用户手动提交表单,则无法为您提供帮助。 ('< script>','',$ str); @ user1477388建议的不会当有人上传
< script src =foo>或<< script>脚本> alert('foo'); < / script>或< body onload =alert('foo');< / body>
On my website, users will be able to input html tags for the content so the text can be bold, italic or links and image. I plan to use ckeditor or tinymce which are really using HTML tags (not BBC code or wiki syntax) If I allow HTML, when the text will be shown it will be interpreted and it may contain some "hack" like javascript or XSS.... How can I do to avoid this security issue ? Do I have to list the wanted html tags and to delete all unwanted tags and content ? Can I use strip tags for this ?
How is it done on stackoverflow for example ?
Do you know some plugin php/jquery plugins who can safely save and safely interpret limited html tags ?
Thanks in advance for your help
You need to use both a server side HTML sanitizer, and a Content Security Policy preventing in-line scripts, eval and remotely hosted scripts
Depending on what language you are using server side, use HtmlSanitiser or python Bleach.
using either client side validation or naive filtering will not protect you at all:
- client side validation, as suggested by @Smamatti will not help you if a user submits the form manually.
- naive filtering such as
str_replace('<script>', '', $str);suggested by @user1477388 will not protect you when someone uploads<script src="foo">or<<script>script>alert('foo');</script>or<body onload="alert('foo')";</body>
这篇关于显示HTML用户输入,安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
