Question

To prevent XSS, an application should implement two controls: robust input validation and contextual output escaping and encoding. Applications should never insert user-submitted data directly into an HTML document—including, for example, inside <script> tags, HTML tag names, or attribute names. Instead, the server should validate that user-submitted input doesn’t contain dangerous characters that might influence the way browsers interpret the information on the page. For example, user input containing the string "<script>" is a good indicator that the input contains an XSS payload. In this case, the server could block the request, or sanitize it by removing or escaping special characters before further processing.

为预防 XSS 攻击，应用程序应实施两个控件：强大的输入验证和上下文输出转义和编码。应用程序不应将用户提交的数据直接插入 HTML 文档中，例如在<script>标签、HTML 标记名称或属性名称中。相反，服务器应验证用户提交的输入不包含可能影响浏览器解释页面信息的危险字符。例如，包含字符串"<script>"的用户输入是输入包含 XSS 有效载荷的好指标。在这种情况下，服务器可以阻止请求，或在进一步处理之前删除或转义特殊字符。

Escaping refers to the practice of encoding special characters so that they are interpreted literally instead of as a special character by the programs or machines that process the characters. There are different ways of encoding a character. Applications will need to encode the user input based on where it will be embedded. If the user input is inserted into <script> tags, it needs to be encoded in JavaScript format. The same goes for input inserted into HTML, XML, JSON, and CSS files.

"转义是指将特殊字符进行编码，以便程序或机器可以将其解释为字面量，而非特殊字符的一种实践。编码字符有不同的方式。应用程序需要根据输入的嵌入位置对用户输入进行编码。如果用户输入插入到<script>标记中，则需要以 JavaScript 格式进行编码。对于插入到 HTML、XML、JSON 和 CSS 文件中的输入，同样需要相应的编码。"

In the context of our example, the application needs to encode special characters into a format used by HTML documents. For example, the left and right angle brackets can be encoded into HTML characters &lt and &gt . To prevent XSS, the application should escape characters that have special meaning in HTML, such as the & character, the angle brackets < and > , single and double quotes, and the forward-slash character.

在我们的例子中，应用程序需要将特殊字符编码为 HTML 文档使用的格式。例如，左右尖括号可以编码为 HTML 字符&lt 和&gt。为了防止 XSS，应用程序应该转义 HTML 中具有特殊含义的字符，如&字符、尖括号<和>、单引号和双引号，以及斜杠字符。

Escaping ensures that browsers won’t misinterpret these characters as code to execute. This is what most modern applications do to prevent XSS. The application should do this for every piece of user input that will be rendered or accessed by a user’s browser. Many modern JavaScript frameworks such as React, Angular 2+, and Vue.js automatically do this for you, so many XSS vulnerabilities can be prevented by choosing the right JavaScript framework to use.

转义确保浏览器不会将这些字符误解为要执行的代码。这是大多数现代应用程序为防止 XSS 所做的工作。应用程序应该对每个将在用户浏览器中呈现或访问的用户输入执行此操作。许多现代 JavaScript 框架，如 React，Angular 2+和 Vue.js，会自动为您执行此操作，因此选择正确的 JavaScript 框架可以预防许多 XSS 漏洞。

The prevention of DOM-based XSS requires a different approach. Since the malicious user input won’t pass through the server, sanitizing the data that enters and departs from the server won’t work. Instead, applications should avoid code that rewrites the HTML document based on user input, and the application should implement client-side input validation before it is inserted into the DOM.

DOM-based XSS 预防需要不同的方法。由于恶意用户输入不会通过服务器，因此对进出服务器的数据进行净化并不起作用。相反，应用程序应该避免基于用户输入重写 HTML 文档的代码，并且应该在插入到 DOM 之前实施客户端输入验证。

You can also take measures to mitigate the impact of XSS flaws if they do happen. First, you can set the HttpOnly flag on sensitive cookies that your site uses. This prevents attackers from stealing those cookies via XSS. You should also implement the Content-Security-Policy HTTP response header. This header lets you restrict how resources such as JavaScript, CSS, or images load on your web pages. To prevent XSS, you can instruct the browser to execute only scripts from a list of sources. For more information about preventing XSS attacks, visit the OWASP XSS prevention cheat sheet, https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html .

如果出现 XSS 漏洞，您也可以采取措施来减轻其影响。首先，您可以在网站使用的敏感 cookie 上设置 HttpOnly 标志。这将防止攻击者通过 XSS 窃取这些 cookie。您还应该实现 Content-Security-Policy HTTP 响应头。该头让您限制资源（如 JavaScript、CSS 或图像）在您的网页上的加载方式。为了防止 XSS，您可以指示浏览器仅执行来自一组源的脚本。有关防止 XSS 攻击的更多信息，请访问 OWASP XSS 防范小抄 https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html。