XSS JavaScript 防护
所以我使用 jQuery UI 库打开新的对话框窗口,当打开新的对话框窗口时,我传递一些像这样的参数
<a href="http://www.mysite.com/custompage.html?width=100&height=200¶m1=abc¶m2=http://www.anothersite.com¶m3=custom3">open modal</a>
该网站工作正常,没有任何问题,我的 custompage.html 只是拾取传递的那些值它们正在页面上使用,如下所示:
var a = customfunctionget(param1); var b = customfunctionget(param2)....
我刚刚收到一份报告,称我们很容易受到跨站点脚本攻击,方法是将任何参数替换为如下内容:
><script>alert(123)</script><param
我正确地理解了应该发生的情况,但在我尝试注入脚本的任何浏览器警报永远不会显示,因此“脚本/注入”没有被处理,custompage.html 停止按预期工作,因为我们需要正确输入值,但在这方面我无能为力。
难道我这里缺少一颗神奇的药丸吗?我发现的大多数 XSS 信息都做同样的事情,尝试通过标签注入警报,但除了我拒绝在参数格式不正确时显示任何内容之外,我不知道还能做什么。
欢迎任何建议、教程。
So i am using the jQuery UI library to open new dialog windows, when the new dialog windows are opened I am passing some parameters like this
<a href="http://www.mysite.com/custompage.html?width=100&height=200¶m1=abc¶m2=http://www.anothersite.com¶m3=custom3">open modal</a>
The site works fine and no issues at all, my custompage.html just picks up those values that were passed and they are being used on the page, something like this:
var a = customfunctionget(param1); var b = customfunctionget(param2)....
I just received a report that we are vulnerable to Cross-Site Scripting attacks by replacing any of the params with something like this:
><script>alert(123)</script><param
Which I understand correctly what is supposed to happen but on any browser that I try to inject the script the alert is never displayed so the "script/injection" is not being processed, the custompage.html stops working as expected since we need the values to be entered correctly but there is nothing I can do on that respect.
Is there a magic pill that I am missing here? Most of the XSS information that I find does the same thing, try to inject an alert through a tag but other than me denying to display any content if the parameter is not well formed I dont know what else can be done.
Any recommendations, tutorials welcome.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Javascripts中有encodeURIComponent()函数对特殊字符进行编码以避免插入脚本
There is encodeURIComponent() function in Javascripts to encode special characters to avoid inserting scripts
最简单的事情之一是使用
<<、>和&字符进行编码分别是:code>、>和&。每当浏览器看到。请注意,如果您这样做,人们将无法执行诸如向事物添加
标签之类的操作。上述建议只是第一步,但绝不是详尽无遗的。
我刚刚发现这个,这似乎是一个很好的指南。
One of the easiest things you can encode all
<,>, and&characters with<,>, and&, respectively. Whenever a browser sees a<something>it thinks its a dom element. If you encode those characters, the browser will actually display them. This will foil people trying to execute<script>badstuff</script>on your site.Note that people won't be able to do things like add
<b>tags to things if you do this.The above suggestion is a first step, but is by no means exhaustive.
I just found this, which seems like a good guide.