如何防范 CSS 中的 XSS?

发布于 2024-11-02 14:12:36 字数 180 浏览 3 评论 0原文

我正在考虑允许我们的在线系统的用户通过简单地逐个用户地包含它们来控制他们自己的 .css 文件。

避免上述文件中任何潜在 XSS 攻击的最佳方法是什么?

有可能完全保护我们自己吗?

我们可以为他们托管文件,然后自己检查它们,但对于我们的用户来说,如果能够更新它们会更方便。

I'm looking at allowing users of our online system to control their own .css files with us by simply including them on a user by user basis.

What is the best way to avoid any potential XSS attacks in said files?

Is it possible to completely protect ourselves at all?

It would be possible for us to host the files for them and obviously then check them ourselves but it would be more convenient for our users to be able to update them as well.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

自此以后,行同陌路 2024-11-09 14:12:36

允许 CSS 的问题是可能发生许多巧妙的攻击。 CSS 确实非常危险。

某些 CSS 表达式允许执行任意 JavaScript。通过黑名单很难防止这种情况,所以我建议白名单。

此外,有人可能会创建一个 CSS 文件来更改页面以模拟另一个站点、另一个页面,或者可能巧妙地定向页面上的其他元素。想象一下,如果有人能够将自己的登录表单放置在您真实的登录表单之上。然后他们可以拦截登录请求。根据您网站的设置方式,这可能可行,也可能不可能;但请注意!有些人将其称为“点击劫持”。

The problem with allowing CSS is that many clever attacks can occur. CSS can be very dangerous indeed.

Some CSS expressions allow executing arbitrary JavaScript. This is difficult to prevent by blacklisting, so I'd suggest whitelisting.

Additionally, someone may create a CSS file that changes the page to impersonate another site, another page, or maybe it cleverly orients other elements on the page. Imagine if someone were able to position their own login form above your real one. Then they could intercept login requests. Depending on how your site is set up, this may or may not be possible; but be forewarned! Some know this as clickjacking.

美羊羊 2024-11-09 14:12:36

首先,正如其他人所说,要谨慎行事。除此之外,尝试将文件中期望的有效输入列入白名单。看看是否可以找到适合您所选框架的任何库(您没有提到这是什么),它可以验证字符串是否符合 CSS 结构。

您可能要考虑的另一件事是参数化某些 CSS 属性并允许用户配置它们(即颜色、字体等)。这将显着降低您的风险,因为它消除了任意创建您自己的恶意 CSS 的能力(相反,创建您自己的无辜 CSS!)

至于您最初的问题“是否有可能完全保护我们自己?”,这很简单- 不!

Firstly, exercise caution, as others have said. Beyond that though, try and white-list the valid inputs you'd expect in the file. See if you can locate any libraries for your chosen framework (you haven't mentioned what this is), that can validate a string for CSS structure compliance.

The other thing you might to consider is parameterising certain CSS attributes and allowing users to configure them (i.e. color, font etc). This would significantly mitigate your risk as it takes out the ability to arbitrarily create your own malicious CSS (and conversely, create your own innocent CSS!)

As for your original question "Is it possible to completely protect ourselves at all?", that's easy - no!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文