这个功能足够用于xss检测吗?
我在“symphony CMS”应用程序中找到它,它非常小:
https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L100
我正在考虑窃取它并在我自己的应用程序中使用它使用 HTML 清理字符串以供显示。你认为它做得好吗?
ps:我知道有 HTML Purifier,但那东西很大。我宁愿选择不太宽松的方式,但我仍然希望它高效。
我一直在针对此页面中的字符串进行测试: http://ha.ckers.org/xss.html 。但如果针对“XSS locator 2”失败。但不确定如何使用该字符串来攻击网站:)
I found it inside the "symphony CMS" app, it's very small:
https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L100
And I was thinking of stealing it and use it in my own application to sanitize string with HTML for display. Do you think it does a good job?
ps: I know there's HTML Purifier, but that thing is huge. And I'd rather prefer something less permissive, but I still want it to be efficient.
I've been testing it against strings from this page: http://ha.ckers.org/xss.html. But if fails against "XSS locator 2". Not sure how can anyone use that string to hack a site though :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不,我不会使用它。有许多不同的攻击,它们都取决于数据插入的上下文。单一功能无法涵盖所有这些。如果仔细观察,实际上只有四个测试:
没有测试其他任何东西。除了这些测试未检测到的攻击(误报)之外,它还可能将某些输入错误地报告为攻击(误报)。
因此,不要尝试检测 XSS 攻击,只需确保使用适当的清理即可。
No, I wouldn’t use it. There are many different attacks that all depend on the context the data is inserted into. One single function would not cover them all. If you take a close look, there are actually just four tests:
Nothing else is tested. Besides attacks that these tests don’t detect (false negative), it could also report some input mistakenly as an attack (false positive).
So instead of trying to detect XSS attacks, just make sure to use proper sanitizing.
我认为它在测试字符串方面做得很好,至少根据我的测试我可以这么说。
I think it does a good job for testing strings,at least that's what I can say according to my tests.