在 XML 中使用 CDATA 元素是否容易受到攻击?
在 XML 文档中使用 CDATA 元素是否存在漏洞?如果是这样,如果我们在 XML 文档中使用 CDATA 元素会发生什么?
Is it a vulnerable using CDATA element in XML documents? If so what happens if we use CDATA element in XML documents?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我不知道你所说的“漏洞”是什么意思,但是很多人在使用 CDATA 部分时犯了一个错误。当懒惰的程序员并不真正理解文本转义并试图避免对 XML 中的特殊字符进行
&编码的正常过程时,就会发生这种情况。他们认为他们可以逃脱:虽然这确实会阻止
textstring中的<或&字符被视为标记,但它是不是无懈可击的,因为文本字符串可能包含]]>序列,从而导致:这是一个 XML 注入,与 HTML 注入一样,可能会产生类似 XSS 的安全影响。
因此,您仍然需要转义 CDATA 中的某些序列(通常,您将在两个 CDATA 部分之间拆分
]]>序列)。在实践中,使用 CDATA 并不比仅以正常方式对文本内容进行&编码更容易。所以实际上没有理由使用 CDATA 部分。I don't know what you mean by ‘vulnerability’, but there is one mistake many people make with CDATA sections. This happens when a lazy programmer doesn't really understand text-escaping, and tries to avoid the normal process of
&-encoding special characters in XML. They think they can get away with:and whilst this will indeed stop a
<or&character intextstringbeing treated as markup, it's not watertight because textstring might contain a]]>sequence, resulting in:This is an XML-injection, which like an HTML-injection could potentially have an XSS-like security impact.
So you'd still need to escape some sequences in CDATA (usually, you would split a
]]>sequence between two CDATA sections). In practice that makes using CDATA no easier than just&-encoding your text content the normal way. So really there is no reason ever to use a CDATA section.CDATA 部分只是在 XML 文档中表示字符数据的另一种方式。它与文档中任何其他(非标签)文本的含义完全相同,只是它的转义方式不同。
不存在与 CDATA 相关的额外“漏洞”(当然,XML 解析库中的错误除外)。
A CDATA section is simply another way of representing character data within an XML document. It means exactly the same thing as any other (non-tag) text in a document, except that it's escaped differently.
There is no extra "vulnerability" associated with CDATA (except for bugs in your XML parsing library, of course).
容易受到什么伤害?某种注入攻击? CDATA 告诉解析器传递内容而不解析它,因此,如果您正在验证 XML,我认为 CDATA 部分会错过验证步骤。
使用 XML 流的代码应该具有某种高于模式验证的业务验证,因此只有在使用输入之前未能检查输入时,您才会面临风险。
Vulnerable to what? An injection attack of some kind? CDATA tells the parser to pass the contents without parsing it, so if you're validating your XML I suppose the CDATA section misses out on the validation step.
The code that uses the XML stream should have some kind of business validation above and beyond the schema validation, so you're only at risk if you fail to check inputs before you use them.