使用白名单安全地剥离javascript中的html标签
[英]securely strip html tags in javascript with whitelist
问题描述
I want to strip almost every html tag from a string in javascript, allowing only a few basic tags 
我想从javascript的字符串中剥离几乎所有html标记,只允许几个基本标记
(& strip their attributes) to prevent Cross-Site-Scripting . (并去除其属性)以防止进行跨站点脚本编写 。
A lot of people say, it shouldn't be done with javascript, because clients might have javascript disabled, causing the filter to break. 许多人说,不应该使用javascript来完成,因为客户端可能禁用了javascript,从而导致过滤器损坏。 However my whole project depends on javascript, and no client with disabled javascript will ever see the output, plus I am unable to do it server-side. 但是,我的整个项目都依赖javascript,并且没有禁用javascript的客户端将永远不会看到输出,而且我无法在服务器端完成输出。
(1) Am I right to assume in this case it might be done securely? (1)在这种情况下,我是否可以安全地进行假设?
bobince recommends to use the DOM (instead of RegEx) to filter the potentially insecure input. bobince建议使用DOM (而不是RegEx)来过滤可能不安全的输入。 I am certainly no XSS expert but because his example depends on the string being inserted to the DOM before the filter does his job, I could imagine it might be insecure because of something like: 我当然不是XSS专家,但是因为他的示例取决于过滤器执行工作之前插入到DOM的字符串,所以我可以想象它可能是不安全的,原因如下:
var unsecureString = '<img src=".." onload="alert(\'bad\')" />';
$('#alice').update(unsecureString);
filterNodes($('#alice'), {p:[],a:['href']}); // see link above
(2) Can I be certain, the bad event above won't ever fire? (2)我能确定,上面的坏事件不会发生吗?
(3) If not: How to avoid such problems, but still use the DOM? (3)如果不是:如何避免此类问题,但仍使用DOM?
1 个解决方案
解决方案1
1 已采纳 2013-08-22 02:30:56
have a look at the google caja sanitizer. 看看谷歌caja消毒剂。
https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.