将用户输入显示为输入值而不进行清理是否安全?
假设我们有一个表单,用户可以在其中输入各种信息。我们验证了信息,发现有些问题。字段丢失、电子邮件无效等等。
当再次向用户显示表单时,我当然不希望他必须再次输入所有内容,因此我想填充输入字段。如果不进行消毒,这样做安全吗?如果没有,首先应该进行的最低限度的消毒是什么?
需要澄清的是:在添加到数据库或在网站其他地方显示之前,当然会对其进行清理。
Say we have a form where the user types in various info. We validate the info, and find that something is wrong. A field is missing, invalid email, et cetera.
When displaying the form to the user again I of course don't want him to have to type in everything again so I want to populate the input fields. Is it safe to do this without sanitization? If not, what is the minimum sanitization that should be done first?
And to clearify: It would of course be sanitized before being for example added to a database or displayed elsewhere on the site.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不,不是。用户可能会从第三方站点定向到表单,或者只是(无意地)输入会破坏 HTML 的数据。
将任何具有特殊含义的字符转换为其 HTML 实体。
即
&到&,<到<,>到>和"到"(假设您使用"< 分隔属性值/code> 而不是'在 Perl 中使用 HTML::Entities ,在 TT 中使用 html 过滤器,在 PHP 中使用 htmlspecialchars 否则寻找与您正在使用的语言类似的内容。
No it isn't. The user might be directed to the form from a third party site, or simply enter data (innocently) that would break the HTML.
Convert any character with special meaning to its HTML entity.
i.e.
&to&,<to<,>to>and"to"(assuming you delimit your attribute values using"and not'.In Perl use HTML::Entities, in TT use the html filter, in PHP use htmlspecialchars. Otherwise look for something similar in the language you are using.
这是不安全的,因为,如果有人可以强迫用户向您的表单提交特定数据,您将输出它并且它将由浏览器“执行”。例如,如果用户被迫提交
'/>,作为结果将发生不需要的重定向。It is not safe, because, if someone can force the user to submit specific data to your form, you will output it and it will be "executed" by the browser. For instance, if the user is forced to submit
'/><meta http-equiv="refresh" content="0;http://verybadsite.org" />, as a result an unwanted redirection will occur.如果不先对用户提供的数据进行编码,则无法将其插入到 HTML 文档中。您的目标是确保文档的结构无法更改,并且数据始终被视为数据值,而不是 HTML 标记或 Javascript 代码。针对此机制的攻击通常称为“跨站点脚本”,或简称为“XSS”。
如果插入到 HTML 属性值中,则必须确保该字符串不会导致属性值过早结束。当然,您还必须确保标签本身无法结束。您可以通过对任何不能保证安全的字符进行 HTML 编码来实现此目的。
如果您编写 HTML 以使标记属性的值出现在一对双引号或单引号字符内,那么您只需确保对您选择使用的引号字符进行 html 编码即可。如果您没有按照上述方式正确引用属性,那么您需要担心更多字符,包括空格、符号、标点符号和其他 ASCII 控制字符。 尽管如此,说实话,无论如何对这些非字母数字字符进行编码可以说是最安全的。
请记住,HTML 属性值可能出现在 3 种不同的语法上下文中:
双引号属性值
您只需将双引号字符编码为合适的 HTML 安全值,例如
" ;单引号属性值
您只需将单引号字符编码为合适的 HTML 安全值,例如
‘不带引号的属性值
您不应该拥有不带引号的 html 标记属性值,但有时这是您无法控制的。在这种情况下,我们确实需要担心空格、标点符号和其他控制字符,因为这些字符会让我们脱离属性值。
除字母数字字符外,请使用
&#xHH;格式(或命名实体,如果可用)对 ASCII 值小于 256 的所有字符进行转义,以防止切换出属性。不带引号的属性可以用许多字符来分解,包括[space]%*+,-/;<=>^和|(等等)。 [摘自 OWASP]请记住,上述规则仅适用于插入 HTML 属性值时的控件注入。在页面的其他区域中,适用其他规则。
请参阅OWASP 的 XSS 预防备忘单了解更多信息
You cannot insert user-provided data into an HTML document without encoding it first. Your goal is to ensure that the structure of the document cannot be changed and that the data is always treated as data-values and never as HTML markup or Javascript code. Attacks against this mechanism are commonly known as "cross-site scripting", or simply "XSS".
If inserting into an HTML attribute value, then you must ensure that the string cannot cause the attribute value to end prematurely. You must also,of course, ensure that the tag itself cannot be ended. You can acheive this by HTML-encoding any chars that are not guaranteed to be safe.
If you write HTML so that the value of the tag's attribute appears inside a pair of double-quote or single-quote characters then you only need to ensure that you html-encode the quote character you chose to use. If you are not correctly quoting your attributes as described above, then you need to worry about many more characters including whitespace, symbols, punctuation and other ascii control chars. Although, to be honest, its arguably safest to encode these non-alphanumeric chars anyway.
Remember that an HTML attribute value may appear in 3 different syntactical contexts:
Double-quoted attribute value
You only need to encode the double quote character to a suitable HTML-safe value such as
"Single-quoted attribute value
You only need to encode the single quote character to a suitable HTML-safe value such as
‘Unquoted attribute value
You shouldn't ever have an html tag attribute value without quotes, but sometimes this is out of your control. In this case, we really need to worry about whitespace, punctuation and other control characters, as these will break us out of the attribute value.
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the
&#xHH;format (or a named entity if available) to prevent switching out of the attribute. Unquoted attributes can be broken out of with many characters, including[space]%*+,-/;<=>^and|(and more). [para lifted from OWASP]Please remember that the above rules only apply to control injection when inserting into an HTML attribute value. Within other areas of the page, other rules apply.
Please see the XSS prevention cheat sheet at OWASP for more information
是的,它是安全的,当然前提是您对值进行了正确的编码。
放置在 HTML 属性内的值需要进行 HTML 编码。您正在使用的服务器端平台应该有实现此目的的方法。例如,在 ASP.NET 中,有一个
Server.HtmlEncode方法,TextBox控件将自动对您放入Text中的值进行 HTML 编码> 财产。Yes, it's safe, provided of course that you encode the value properly.
A value that is placed inside an attribute in an HTML needs to be HTML encoded. The server side platform that you are using should have methods for this. In ASP.NET for example there is a
Server.HtmlEncodemethod, and theTextBoxcontrol will automatically HTML encode the value that you put in theTextproperty.