为什么 MS 反 xss 库 (v4) 删除 html 5 数据属性
AntiXss 库似乎删除了 html 5 数据属性,有人知道为什么吗?
我需要保留此输入:
<label class='ui-templatefield' data-field-name='P_Address3' data-field-type='special' contenteditable='false'>[P_Address3]</label>
使用反xss库(v4.0)的主要原因是确保不解析无法识别的样式属性,这可能吗?
代码:
var result = Sanitizer.GetSafeHtml(html);
编辑:
下面的输入将导致删除整个样式属性
输入:
var input = "<p style=\"width:50px;height:10px;alert('evilman')\"/> Not sure why is is null for some wierd reason!<br><p></p>";
输出:
var input = "<p style=\"\"/> Not sure why is is null for some wierd reason!<br><p></p>";
如果有人在客户端弄乱我的代码,那很好,但我还需要数据属性标签工作!
AntiXss library seems to strip out html 5 data attributes, does anyone know why?
I need to retain this input:
<label class='ui-templatefield' data-field-name='P_Address3' data-field-type='special' contenteditable='false'>[P_Address3]</label>
The main reason for using the anti xss library (v4.0) is to ensure unrecognized style attributes are not parsed, is this even possible?
code:
var result = Sanitizer.GetSafeHtml(html);
EDIT:
The input below would result in the entire style attributes removed
Input:
var input = "<p style=\"width:50px;height:10px;alert('evilman')\"/> Not sure why is is null for some wierd reason!<br><p></p>";
Output:
var input = "<p style=\"\"/> Not sure why is is null for some wierd reason!<br><p></p>";
Which is fine, if anyone messes around with my code on client side, but I also need the data attribute tags to work!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我假设你指的是消毒器,而不是编码器。它正在做它应该做的事情 - 它根本不理解 HTML5 或识别属性,所以它会删除它们。有多种方法可以通过样式来实现 XSS。
恐怕也不可能自定义安全列表,代码库根本不允许这样做 - 我知道很多人都想要这些,但需要完全重写才能支持它。
I assume you mean the sanitizer, rather than the encoder. It's doing what it's supposed to - it simply doesn't understand HTML5 or recognise the attributes, so it strips them. There are ways to XSS via styles.
It's not possible to customise the safe list either I'm afraid, the code base simply doesn't allow for this - I know a large number of people want those, but it would take a complete rewrite to support it.