为什么我们不能有一些AntiXss Literal html标签 [英] Why can't we have some AntiXss Literal html tag

问题描述

现在我正在学习网络安全，XSS等。由于XSS基本上是针对客户端代理（网络浏览器），通过注入一些由Web浏览器执行的恶意代码，因为它是由经过验证的用户插入的。现在问题是为什么我们不能在HTML中使用标签，只显示文字并阻止其中的任何内容执行？

例如：

 <！ - 下面的代码不会被执行，只会被Web浏览器视为文字内容 - > 
 
< ltrl> 
< script type =text / javascript> alert（'You have been xssed'）;< / script> 
< / ltrl> 
  

所以如果我在html中有这样的内容，那么它显示为

 < script type =text / javascript> alert（'You have been xssed'）;< / script> 
  

在网路浏览器中。

解决方案

假设攻击者提供的文本内容为：

 < / ltrl> 
< script type =text / javascript> alert（'You have been xssed'）;< / script> 
< ltrl> 
  

总加价是

 < ltrl> 
< / ltrl> 
< script type =text / javascript> alert（'You have been xssed'）;< / script> 
< ltrl> 
< / ltrl> 
  

并且您的防守已被轻易破坏。

Nowadays I am learning about web security, XSS, etc. As XSS basically targets a client-agent (web browser) by injecting some malicious code that is executed by the web browser as it was inserted by an authenticated user. Now the question is Why can't we have a tag in html that just shows literals and prevents the execution of anything inside it?

Something like:

<!-- The code below will not be executed and just treated as literal content by a web browser -->

<ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
</ltrl>

So if I would have something like this in html then it were shown as

<script type="text/javascript">alert('You have been xssed');</script>

in web browser.

解决方案

Suppose the contents of the text supplied by the attacker was:

</ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
<ltrl>

the total markup would be

<ltrl>
</ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
<ltrl>
</ltrl>

and your defence has been trivially breached.

这篇关于为什么我们不能有一些AntiXss Literal html标签的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！