在文本区域中显示未经处理的用户输入是否存在风险?
我按以下顺序保存用户输入的两个版本:
- 不受信任的用户输入原始降价。
- 原始降价存储在一张表中。
- 原始 Markdown 的副本将转换为 HTML。
- HTML 被清理和保留,并根据请求显示。
- 仅当用户编辑条目时才会显示原始 Markdown 版本;它被加载到表单的文本区域中。
将原始 Markdown(可能包含不安全的 HTML)加载到文本区域是否存在风险?它永远不会显示在文本区域之外。
我无法清理 Markdown,因为这会导致我保存的 Markdown 版本和 HTML 版本之间不一致。
仅供参考:我总是清理 SQL,无论我将什么保存到数据库中。
I save two versions of user input in the following sequence:
- Untrusted user enters raw markdown.
- Raw markdown is stored in one table.
- A copy of the raw markdown is converted into HTML.
- HTML is sanitized and persisted, and is displayed upon request.
- The raw markdown version is only displayed when users edit a entry; it's loaded into a textarea of a form.
Is there any risk in loading raw markdown (which could potentially contain unsafe HTML) into a textarea? It would never be displayed outside of a textarea.
I can't sanitize the markdown because it would result in inconsistencies between the markdown and HTML versions I'm saving.
FYI: I always sanitize SQL, regardless of what I'm saving to the DB.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您不必在那里对其进行清理,只需注意正确转义 HTML 特殊字符,例如 <和>。
例如,Stackoverflow 允许您在帖子中发布 HTML 代码,但它不会删除任何内容。这是通过编码而不是清理来实现的。
You don't have to sanitize it there, just take care of correctly escaping HTML special characters such as < and >.
For instance, Stackoverflow allows you to post HTML code in your posts, it does not remove anything. This is achieved by encoding, not sanitizing.
这取决于您如何将其“加载”到
textarea中。如果您通过简单的字符串连接在服务器端进行操作,例如在 php 中,...那么绝对存在风险,因为该 markdown 可以很容易地关闭
textarea并嵌入它的其他内容想要。如果您使用某种组件框架(例如 ASP.NET),那么只要您使用安全的 API 方法(例如MyTextArea.Value = markdown;),您就应该受到保护。如果您在客户端执行此操作,这还取决于您如何执行此操作。如果您使用 jQuery 的
.val()setter 之类的东西,您会是安全的,但仍然可能通过其他方法使自己暴露于 XSS 漏洞。简而言之,一般答案是肯定的,具体取决于您实际创建和填充
textarea的方式。It depends how you're "loading" it into the
textarea. If you're doing it server-side through simple string concatenation, e.g. in php,...then there is absolutely a risk, because that markdown could very easily close out the
textareaand embed whatever else it wants. If you're using some sort of a component framework (e.g., ASP.NET), then you should be protected as long as you use a safe API method, such asMyTextArea.Value = markdown;.If you're doing it client-side, it also depends on how you're doing this. You would be safe if you used something like jQuery's
.val()setter, but could still expose yourself to XSS vulnerabilities through other approaches.In short, the general answer is yes, depending on how you're actually creating and populating the
textarea.你至少在做 SQL 清理工作吗?当您 INSERT 或 UPDATE 数据时,您是否使用某种类型的 DAO 来转义 SQL,或者如果使用 Java,则使用在其中设置参数的准备语句?
在事物进入数据库之前,您必须始终对其进行消毒。否则人们可能会在
请求中添加一个流浪的..。
在文本框中留下未经处理的输入存在一些安全风险;主要是如果用户感染了注入 Javascript 的东西,它每次都会显示出来。
为什么还要保存它?那么您是否为用户提供了从输入内容到显示内容完全不一致的视图?他们不会匹配。最好清理输入,这样当用户再次查看输入时,他或她可以清楚地看到出于安全考虑,有问题的 HTML 已被删除。
Are you at least doing SQL sanitation? When you INSERT or UPDATE the data, are you using some type of DAO that escapes the SQL or, if using Java, using a Prepared Statement where you set the arguments?
You must always sanitize things before they go into the DB. Otherwise people could add a stray
..into a request.
There are some security risks to leaving unsanitized input in the text box; mainly if the user is infected with something that's injecting Javascript, it will show up for him or her each time.
Why even save that? Then you're giving your user a totally inconsistent view from what they enter to what is displayed? They won't match up. It's best to clean the input so when they user views it again he or she can clearly see that the offending HTML was removed for security.