以文本格式存储视频嵌入链接时 html_safe 是个好习惯吗
我的应用程序允许用户嵌入来自 YouTube 等热门网站的视频。我有一个 text_area_field 来接受嵌入代码作为字符串并保存到数据库。我正在使用正则表达式进行一些基本验证,以过滤嵌入代码的某些部分。来自 youtube 的示例嵌入代码:
<iframe width="560" height="315" src="http://www.youtube.com/embed/INx7B2yyD0g" frameborder="0" allowfullscreen></iframe>
当我向用户显示视频时,我在视图中执行此操作
<%= user.content.html_safe %>
我想知道的是以下内容:
1. 对用户提交的数据调用 html_safe 是否安全,我还有什么其他选择
2. 将嵌入代码存储为字符串类型是否是一个好的做法
3、是否存在用户提交不良脚本的漏洞
4. 可以采取哪些不同的措施来防止此类攻击
谢谢
My app allows users to embed videos from popular sites like youtube, etc. I have a text_area_field to accept the embed code as a string and save to the database. I am doing some basic validation with a regular expression to filter certain parts of the embed code. Sample embed code from youtube:
<iframe width="560" height="315" src="http://www.youtube.com/embed/INx7B2yyD0g" frameborder="0" allowfullscreen></iframe>
When i display the video back to the user i do this in my view
<%= user.content.html_safe %>
What i would like to know, is the following:
1. Is is safe to call html_safe on user submitted data, what other options do i have
2. Is storing the embed code as a string type good practice
3. Are there are any loopholes for users to submit bad scripts
4. What can be done differently to prevent such attacks
thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以使用诸如带有自定义白名单的 sanitize gem 之类的方法。但由于它必须接受像
这样的东西,这可能会变得棘手。最安全的选择可能是使用像 nokogiri 这样的 HTML 解析器来解析出特定的所需值并将它们插入到您自己的模板中对于每项服务。
对于您的示例嵌入代码:
您只需要获取类似的内容:
这肯定是更多的工作,因为您必须为您支持的每个不同的视频服务拥有不同的解析器和模板。但这是我能想到的避免恶意 HTML 注入的最安全方法。
You could go the route of using something like the sanitize gem with a custom whitelist. But since it would have to accept things like
<iframes>
that could get tricky.The safest bet would probably be to use an HTML parser like nokogiri to parse out the specific needed values and insert them into your own template for each service.
For your example embed code:
You'd just need to grab something like:
It's definitely more work since you'd have to have different parsers and templates for each different video service you supported. But it's the safest way I can think of to avoid malicious HTML injection.