跨站脚本:如何检查字符串
我有一根绳子。这是某些 html 标签的某些属性的值。
如何检查该字符串是否包含javascript?
例如(IMG标签的SRC属性):
1. <IMG src="javascript:alert('XSS')"> - contains script<br/>
2. <IMG src="JaVaScRiPt:alert('XSS')"> - contains script<br/>
3. <IMG javascript:alert('XSS')> - also contains javascript
I have a string. This is the value of some attribute of some html tag.
How to check if this string contains javascript?
For example (SRC attribute of IMG tag):
1. <IMG src="javascript:alert('XSS')"> - contains script<br/>
2. <IMG src="JaVaScRiPt:alert('XSS')"> - contains script<br/>
3. <IMG javascript:alert('XSS')> - also contains javascript
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您首先必须规范化,然后进行检查。但我会考虑 HtmlPurifier 或 OWASP AntiSamy。
You first have to canonicalize, then check. But i would look at HtmlPurifier or OWASP AntiSamy for that.
这很难做到,因为有很多奇怪而棘手的方法可以潜入 JavaScript。
HTMLPurifier如果您必须首先允许 HTML 输入,a> 具有相当复杂的解析来过滤掉所有潜在不安全的 HTML。
但是,通常您甚至不应该尝试这样做,而只需始终转义字符串。
在 PHP 中,即:
在 JS 中,您可以使用
document.createTextNode()或 jQuery 的等效$(el).text()安全地将文本插入到 DOM 中(这两种方法不需要转义)。It's pretty hard to do, as there are lots of odd and tricky ways to sneak JavaScript in.
HTMLPurifier has pretty complex parsing to filter out all potentially unsafe HTML if you must allow HTML input in the first place.
However, generally you shouldn't even try to do that, and simply always escape the string.
In PHP that is:
In JS you can use
document.createTextNode()or jQuery's equivalent$(el).text()to safely insert text into DOM (those two methods don't require escaping).