我正在使用 contentEditable div,它允许用户编辑正文 HTML,然后使用 AJAX 请求将其直接发布到网站。当然,我还要对其进行一些安全检查。最明显的是通过在提交的 HTML 中搜索 来确保未提交任何脚本标记。这是在首先运行 htmlentities、将数据传输到另一台服务器,然后运行 html_entity_decode 后完成的。此外,每个打开的标签都必须关闭,并且每个关闭的标签都必须在用户提交的 HTML 中打开。
不考虑不相关的安全风险(例如 SQL 注入)和非安全风险(例如用户发布不适当的图像),还有哪些其他安全风险(如果有)与允许用户添加特别相关HTML直接到页面?
更具体地说,
- 是否有方法可以在不显式使用脚本标记的情况下将脚本放入页面中,或者
- 是否可以通过在不使用脚本的情况下编辑 HTML 来损害网站或其用户的安全性?
I am using a contentEditable div that allows users to edit the body HTML and then post it directly to site using an AJAX request. Naturally, I have to do some security checks on it. The most obvious was ensuring that no script tags were submitted by searching for <script in the submitted HTML. This is done after first running htmlentities, transferring the data to another server, and then running html_entity_decode. In addition, every tag that is opened must be closed and every tag that is closed must be opened within the user submitted HTML.
Disregarding unrelated security risks (such as SQL injection) and non-security risks (such as a user posting an inappropriate image), what are other security risks, if any, specifically linked to allowing a user to add HTML directly to a page?
To be more specific,
- Are there ways to put scripts in the page without explicitly using a script tag, OR
- Are there ways to compromise the security of a site or its users by editing the HTML without using scripts?
发布评论
评论(4)
您是否考虑过
我会使用
strip_tags()来剥离 html 标签Did you think about security risk from
<object>and<embed>objects?I'd use
strip_tags()for stripping html tags是的。恶意代码可以通过多种方式注入您的网站。
其他答案已经提到了所有最明显的方法,但是还有很多更微妙的方法可以进入,如果您要接受用户提交的 HTML 代码,您需要了解所有这些方法,因为黑客不会只尝试显而易见的东西然后放弃。
您需要检查所有事件处理属性 - 不仅仅是
onclick,而是所有内容:onfocus、onload,甚至< code>onerror 和onscroll可能被黑客攻击。但更重要的是,您需要提防旨在绕过您的验证的黑客行为。例如,使用损坏的 HTML 来迷惑您的解析器,使其认为它是安全的:
或
或
所有这些都可以轻松地通过验证器。
并且不要忘记,真正的黑客可能比这更令人困惑。他们会努力让你很难发现它,或者当你发现它时很难理解它在做什么。
最后我会推荐这个网站:http://html5sec.org/,其中有大量攻击的详细信息向量,其中大部分我肯定不会想到。 (以上示例均在列表中)
Yes. There are an alarming number of ways that malicious code can be injected into your site.
Other answers have already mentioned all of the most obvious ones, but there are a lot of much more subtle ways to get in, and if you're going to accept user-submitted HTML code, you need to be aware of them all, because hackers don't just try the obvious stuff and then give up.
You need to check all event handling attributes - not just
onclick, but everything:onfocus,onload, evenonerrorandonscrollcan be hacked.But more importantly than that, you need to watch out for hacks that are designed to get past your validation. For example, using broken HTML to confuse your parser into thinking it's safe:
or
or
All of these could easily slip past a validator.
And don't forget that a real hack is likely to be more obfuscated than this. They'll make an effort to make it hard for you to spot, or to understand what it's doing it you do spot it.
I'll finish by recommending this site: http://html5sec.org/ which has details of a large number of attack vectors, most of which I certainly wouldn't have thought of. (the examples above all feature in the list)
是的,是的。
用户有很多方法可以在没有脚本标签的情况下注入脚本。
他们可以在 JS 处理程序中完成
他们可以在 hrefs 中完成
他们可以从外部源完成
他们可以通过各种方式完成它。
恐怕让用户这样做的想法并不是一个好主意。看看使用 Wiki 标记/向下代替。会安全很多。
Yes and yes.
There are A LOT of ways for users to inject scripts without script tags.
They can do it in JS handlers
They can do it in hrefs
They can do it from an external source
They can do it in ALL SORTS of ways.
I am afraid that the idea of allowing users to do this is just not a good one. Look at using Wiki markup/down instead. It'll be much safer.
通过使用元素上的事件属性,可以通过多种方式调用 Javascript,例如:
发布了类似的问题 此处建议使用HTMLPurifier 而不是尝试自己处理这个问题。
Javascript can be called any number of ways by using the event attributes on elements, like:
A similar question posted here recommends using HTMLPurifier instead of trying to handle this on your own.