Json.encode 特殊符号 \u003c MVC3
我有 JavaScript 应用程序,在其中使用客户端模板(underscore.js、Backbone.js)。
初始页面加载的数据像这样绑定到页面中(.cshtml Razor 文件):
<div id="model">@Json.Encode(Model)</div>
Razor 引擎执行转义,因此,如果 Model 是
new { Title = "<script>alert('XSS');</script>" }
,在输出中我们有:
<div id="model">{"Title":"\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e"}</div>
在“解析”操作之后:
var data = JSON.parse($("#model").html());
我们的对象数据的 "Title" 字段与 ""!
当它转到下划线模板时,它会发出警报。
不知何故,类似 \u003c- 的符号被视为正确的“<”符号。
如何从数据库中将“<”符号转义为 < 和 >(如果它们以某种方式到达那里)?
也许我可以调整 Json.Encode 序列化来转义这些符号? 也许我可以设置我正在使用的实体框架,以便在从数据库获取数据时始终自动转义这些符号?
I have JavaScript application, where I use client-side templates (underscore.js, Backbone.js).
Data for initial page load is strapped into the page like this (.cshtml Razor-file):
<div id="model">@Json.Encode(Model)</div>
Razor engine performs escaping, so, if the Model is
new { Title = "<script>alert('XSS');</script>" }
, in output we have:
<div id="model">{"Title":"\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e"}</div>
Which after "parse" operation:
var data = JSON.parse($("#model").html());
we have object data with "Title" field exactly "<script>alert('XSS');</script>"!
When this goes to underscore template, it alerts.
Somehow \u003c-like symbols are treated like proper "<" symbols.
How do I escape "<" symbols to < and > from DB (if they somehow got there)?
Maybe I can tune Json.Encode serialization for escaping these symbols?
Maybe I can set up Entity Framework which I`m using, for automatically escape these symbols absolutely all the time when getting data from DB?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
\u003c 和类似的代码对于 JS 来说是完全有效的。如果您愿意,您可以使用此语法混淆整个 JS 文件。本质上,您看到的是转义字符 \、u 表示 unicode,然后是与符号相关的 4 个字符的十六进制代码。
http://javascript.about.com/library/blunicode.htm
\u003c - 作为您已经注意到,是 <特点。
在 MVC 端“修复”此问题的一种方法是编写一个 RegEx 来查找模式 \u - 然后捕获接下来的 4 个字符。然后,您可以将它们取消编码为实际的 unicode 字符 - 并通过 XSS 预防算法运行生成的文本。
正如您在问题中所指出的 - 只需寻找“<”没有帮助。您也不能只查找“\u003cscript” - 因为这假设潜在的黑客并没有简单地对整个“script”标签词进行 unicode 编码。更安全的方法是取消转义所有这些类型的代码,然后以纯文本形式清理 HTML。
顺便说一句,注意到这是 XSS 预防中常见的(迄今为止尚未解决的)问题之一,可能会让您感觉更好。因此,您并不是唯一一个想要更好的解决方案的人...
您可以查看以下库来帮助实际的 html 清理:
http://wpl.codeplex.com/(微软尝试解决方案 - 尽管用户反馈非常糟糕)
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET (一个私人项目,旨在做很多此类预防工作。我发现它很难使用,并且在 .NET 中实现得很差)
不过,两者都是很好的参考。
\u003c and similar codes are perfectly valid for JS. You can obfuscate whole JS files using this syntax, if you so choose. Essentially, you're seeing an escape character \, u for unicode, and then a 4-character Hex code which relates to a symbol.
http://javascript.about.com/library/blunicode.htm
\u003c - as you've noted, is the < character.
One approach to "fixing" this on the MVC side would be to write a RegEx which looks for the pattern \u - and then captures the next 4 characters. You could then un-encode them into actual unicode characters - and run the resultant text through your XSS prevention algorithms.
As you've noted in your question - just looking for "<" doesn't help. You also can't just look for "\u003cscript" - because this assumes the potential hacker hasn't simply unicode-encoded the entire "script" tag word. The safer approach is to un-escape all of these kinds of codes and then cleanse your HTML in plain-text.
Incidentally, it might make you feel better to note that this is one of the common (and thusfar poorly resolved) issues in XSS prevention. So you aren't alone in wanting a better solution...
You might check out the following libraries to assist in the actual html cleansing:
http://wpl.codeplex.com/ (Microsoft's attempt at a solution - though very bad user feedback)
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET (A private project which is designed to do a lot of this kind of prevention. I find it hard to use, and poorly implemented in .NET)
Both are good references, though.
在将字符串提供给 Underscore 之前,您需要将其编码为 HTML。
"Underscore.js 模板中的 HTML 转义" 解释了如何进行来做到这一点。
You need to encode your string as HTML before providing it to Underscore.
"HTML escaping in Underscore.js templates" explains how to do this.
如果您想编写未编码的内容,则需要使用 Html.Raw() helper:
编辑:
我想,也许我不明白你的问题是什么。例如,在测试控制器中,我
在相关视图中具有以下内容:
依次输出到控制台:
并打开警报。
If you want to write unencoded content you will need to use the Html.Raw() helper:
Edit:
I guess, perhaps I'm not understanding what your problem is. For example within a test controller I have the following
In the related view:
Which in turn outputs to the console:
And opens the alert.