如何安全地使用 fckEditor,而不存在跨站脚本风险?
此链接描述了使用 fckEditor 对我的应用程序的利用: http://knitinr.blogspot.com/2008/07/ script-exploit-via-fckeditor.html
如何在仍然使用 fckEditor 的同时确保我的应用程序安全? 是fckEditor配置吗? 从 fckEditor 获取文本后,我应该在服务器端进行一些处理吗?
这是一个难题,因为 fckEditor 使用 html 标签进行格式化,所以当我显示文本时我不能只进行 HTML 编码。
This link describes an exploit into my app using fckEditor:
http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html
How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
清理 html 服务器端,别无选择。 对于 PHP 来说,它是 HTML Purifier,对于 .NET 我不知道。 清理 HTML 是很棘手的 - 仅仅去除脚本标签是不够的,您还必须注意 on* 事件处理程序,甚至更多,这要归功于 IE 的愚蠢行为。
此外,使用自定义 html 和 css,很容易劫持网站的外观和布局 - 使用覆盖所有屏幕的覆盖层(绝对定位)等。为此做好准备。
Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.
Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.
该错误实际上并不是 FCKeditors 的错。 只要您允许用户编辑将在您的网站上显示的 HTML,他们就总是有可能造成伤害,除非您在输出数据之前检查数据。
有些人使用 HTMLencoding 来做到这一点,但这会破坏 FCKeditor 完成的所有格式,而不是您想要的。
也许您可以使用Microsoft 反跨站脚本库。 MSDN 上的示例
The bug is not actually FCKeditors fault. As long as you let users edit HTML that will be displayed on your web site they will always have to possibility to do harm unless you check the data before you output it.
Some people use HTMLencoding to do this, but that will destroy all the formatting done by FCKeditor, not what you want.
Maybe you can use the Microsoft Anti-Cross Site Scripting Library. Samples on MSDN
恰恰。 StackOverflow 也有一些与此相关的早期问题。 解决这个问题的最简单方法是使用 HTML 库来解析用户的输入,然后转义输出中不需要的任何标签。 将此作为打印到页面时的后处理步骤 - 数据库中的数据应与用户输入的数据完全相同。
例如,如果用户输入
,您的代码会将其转换为
<script>此处为邪恶</script>
在渲染页面之前。并且不要使用正则表达式来解决这个问题,这只是邀请聪明的人再次打破它。
Precisely. StackOverflow had some early issues related to this as well. The easiest way to solve it is to use an HTML library to parse user's input, and then escape any tags you don't want in the output. Do this as a post-processing step when printing to the page -- the data in the database should be the exact same as what the user typed in.
For example, if the user enters
<b><script>evil here</script></b>
, your code would translate it to<b><script>evil here</script></b>
before rendering the page.And do not use regular expressions for solving this, that's just an invitation for somebody clever to break it again.
XSS 是一件棘手的事情。 我建议阅读:
无论如何,我的总结是,归根结底,你必须只允许严格接受的物品; 你不能拒绝已知的利用向量,因为否则你将永远是永恒斗争的幕后黑手。
XSS is a tricky thing. I suggest some reading:
Anyway, my summary is when it comes down to it, you have to only allow in strictly accepted items; you can't reject known exploit vectors because or you'll always be behind the eternal struggle.
我认为有些人提出的问题并不是Fckeditor只编码几个标签。 这是一个天真的假设,认为邪恶的用户会使用 Fckeditor 来编写他的恶意代码。 允许手动更改输入的工具有很多。
我将所有用户数据视为受污染的; 并使用 Markdown 将文本转换为 HTML。 它会清理文本中发现的任何 HTML,从而减少恶意行为。
I think the issue raised by some is not that Fckeditor only encodes a few tags. This is a naive assumption that an evil user will use the Fckeditor to write his malice. The tools that allow manual changing of input are legion.
I treat all user data as tainted; and use Markdown to convert text to HTML. It sanitizes any HTML found in the text, which reduces malice.
是否要求使用 FCKEditor,或者您可以使用不同的编辑器/标记语言吗? 我建议使用 Markdown 和 WMD 编辑器,这与 StackOverflow 使用的语言相同。 .NET 的 Markdown 库应该有一个转义所有 HTML 标签的选项——一定要打开它。
Is use of FCKEditor a requirement, or can you use a different editor/markup language? I advise using Markdown and WMD Editor, the same language used by StackOverflow. The Markdown library for .NET should have an option to escape all HTML tags -- be sure to turn it on.
FCKEditor 可以配置为仅使用几个标签。 您需要对除那几个标签之外的所有内容进行编码。
这些标签是: <你>
<块引用> <字体> <跨度>。
字体标签应仅具有字体和大小属性。
span 标签应该只有一个 class 属性。
这些标签不允许有其他属性。
FCKEditor can be configured to use only a few tags. You will need to encode everything except for those few tags.
Those tags are: <strong> <em> <u> <ol> <ul> <li> <p> <blockquote> <font> <span>.
The font tag only should have face and size attributes.
The span tag should only have a class attribute.
No other attributes should be allowed for these tags.