我正在构建一个网络应用程序,用户可以动态创建 HTML 内容。允许他们创建以 # 开头的链接是否安全(例如 XSS 攻击)?
我不知道为什么不会——也许我只是偏执而已。
(对于 # 网址,我的 Javascript 代码没有执行任何特殊操作。)
无论如何,我问的一个原因是我正在使用 Google Caja 的 html-sanitizer 用于清理 HTML。它过滤 URL:s,但是默认过滤器如下所示:
function urlX(url) { if(/^https?:\/\//.test(url)) { return url }}
也就是说,必须指定协议,并且只允许 HTTP 和 HTTPS,但不允许 javascript:。我最近将URL过滤功能更改为:(
function urlX(url) {
if (/^https?:\/\//.test(url) || /^#/.test(url)) return url;
}
即也允许#....。)
我想也许我应该问你是否认为#...代码> 链接安全吗?
(例如,浏览器不会对像“href='#javascript:....”这样的链接做任何疯狂的事情?好吧,它不会(无论如何不是我的浏览器),但也许还有其他一些......东西。 ..我不知道)
I'm building a webapp and users can create HTML contents dynamically. Is it safe (e.g. w.r.t. XSS attacks) to allow them to create links that start with #?
I don't know why it wouldn't be -- perhaps I'm just being paranoid.
(My Javascript code doesn't do anything particular, for # URLs.)
Anyway one reason I ask is that I'm using Google Caja's html-sanitizer to sanitize HTML. It filters URL:s, however the default filter looks like so:
function urlX(url) { if(/^https?:\/\//.test(url)) { return url }}
That is, the protocol must be specified and only HTTP and HTTPS are allowed but not javascript:. I recently changed the URL filtering function to:
function urlX(url) {
if (/^https?:\/\//.test(url) || /^#/.test(url)) return url;
}
(That is, #.... is allowed as well.)
I thought that perhaps I should ask if you think #... links are safe?
(For example, the browser won't do anything insane with links like `href='#javascript:....'? Well it does not (not my browser anyway), but perhaps there is some other ...something... that I'm not aware about)
发布评论
评论(2)
它应该是安全的:URL中
#之后的任何内容都会被解析为。当然,如果页面上有一些 JavaScript 会读取该片段标识符并对其执行一些不安全的操作,那么所有的赌注都会失败。但请注意,在这种情况下,您需要解决更根本的安全问题。
仅禁止以
#开头的链接不会有太大作用,因为攻击者仍然可以在完整 URL 中甚至在从其他位置指向您网站的链接中包含恶意片段标识符。It should be safe: anything after a
#in a URL is parsed as a fragment identifier by browsers.Of course, if you have some JavaScript on the page that reads that fragment identifier and does something unsafe with it, then all bets are off. But note that, in such a case, you have a more fundamental security problem that you need to fix.
Just disallowing links than begin with
#won't do much, since an attacker could still include a malicious fragment identifier in a full URL, or even in a link pointing to your site from somewhere else.这不安全。例如,jQuery 的
$(location.hash)存在 XSS 问题。 PoC 位于 http://ma.la/jquery_xss/。因此,要么禁止这样做,要么在#之后正确清理所有内容
It's not safe. For example, there was an XSS issue with jQuery's
$(location.hash). There is PoC at http://ma.la/jquery_xss/.So either forbid this or properly sanitize everything after #