将不受信任的数据传递到Javascript脚本的不同方法?
[英]Different way to pass untrusted data into a Javascript script?
问题描述
I have a Javascript function that retrieves data from the form onClick via the submission button. 
我有一个Javascript函数,可通过提交按钮从onClick表单中检索数据。
function valueCheck()
{
var cCheck = document.getElementById("c");
var cChoice = chemCheck.options[chemCheck.selectedIndex].value;
var coCheck = document.getElementById("co");
var coChoice = compCheck.options[compCheck.selectedIndex].value;
var gCheck = document.getElementById("g");
var gChoice = geoCheck.options[geoCheck.selectedIndex].value;
var mCheck = document.getElementById("m");
var mChoice = mathCheck.options[mathCheck.selectedIndex].value;
var pCheck = document.getElementById("p");
var pChoice = physCheck.options[physCheck.selectedIndex].value;
According to OSWAP XSS PREVENTION CHEAT SHEET this is unsafe. 根据OSWAP XSS PREVENTION CHEAT SHEET,这是不安全的。 The data is 'sanitized' using filter_var($var, FILTER_SANITIZE_STRING) and I trim() it as well for good measure. 使用filter_var($var, FILTER_SANITIZE_STRING)对数据进行“清理” filter_var($var, FILTER_SANITIZE_STRING)并且我也会对其进行trim()以便进行良好测量。 Unfortunately, this is server-side so it doesn't help. 不幸的是,这是服务器端的,所以没有帮助。 Right now there is a vulnerability if someone were to change the values in the select menu. 现在,如果有人要更改选择菜单中的值,则存在一个漏洞。 I call my Javascript function like so: 我这样调用我的Javascript函数:
<input type="submit" name="submit" onClick="return function();">
It needs to be able to work client-side. 它需要能够在客户端工作。 How can I filter/sanitize the data before I pass it to my Javascript function? 在将数据传递给Javascript函数之前,如何过滤/清除数据? I need to get each value in the select boxes so I can make sure they aren't the same. 我需要在选择框中获取每个值,以便确保它们不相同。 (Note the whole function isn't shown above, I can provide it if needed. I think the issue is mainly the way I put the data into the script). (请注意,上面没有显示整个功能,我可以根据需要提供它。我认为问题主要是我将数据放入脚本的方式)。
How can I escape the data? 如何转义数据?
EDIT: To clarify my question, I am wondering if there is a secure method to passing client-side data to a javascript function. 编辑:为了澄清我的问题,我想知道是否存在将客户端数据传递到javascript函数的安全方法。 This data hasn't been sanitized yet (besides all the client-side stuff I can do to it) so I'm worried that there may be an XSS vulnerability. 该数据尚未经过清理(除了我可以做的所有客户端工作),因此我担心可能存在XSS漏洞。 According to the OSWAP XSS Prevention Cheat Sheet I'm supposed to escape data, but I am not too sure how to do this as well. 根据OSWAP XSS预防速查表,我应该转义数据,但我也不太确定该怎么做。 I do not render any user-inputted data into the browser, it is only stored. 我不会将用户输入的任何数据呈现到浏览器中,而只是将其存储。
EDIT2: I think I finally understand. EDIT2:我想我终于明白了。 The XSS vulnerabilities mentioned in the OSWAP cheatsheet refer to placing user-given data into HTML/other things and displaying it back to the page? OSWAP速查表中提到的XSS漏洞是指将用户提供的数据放入HTML /其他内容并将其显示回页面吗? If I'm only saving this to text files/csv files I think I'd just have to make sure everything is good server-side. 如果仅将其保存到文本文件/ csv文件中,我想我只需要确保一切都在服务器端良好即可。
1 个解决方案
解决方案1
0 已采纳 2014-09-24 15:59:52
If you only store data, there is no XSS vulnerability. 如果仅存储数据,则没有XSS漏洞。 End of strory. 故事结束。 However, you should still check input data length if you don't want someone to put 10TB of data into your server. 但是,如果您不希望有人将10TB的数据放入服务器,则仍应检查输入数据的长度。
Generally client-side is an illusion. 通常,客户端是一种错觉。 HTML and JavaScript are like curtain that covers real code of your webapp (php or whatever you got on server side). HTML和JavaScript就像帷幕一样,涵盖了Web应用程序的真实代码(php或服务器端提供的任何内容)。 You can never trust client side data, even if you filter it with JS. 即使使用JS过滤客户端数据,也永远不会信任它。 Someone can basically turn off JS or use some other software than browser to comunicate with your website (like netcat or curl). 基本上,有人可以关闭JS或使用浏览器以外的其他软件与您的网站进行通讯(例如netcat或curl)。
I recommend you to watch this whole movie so you can imagine way hackers will hack you. 我建议您观看整部电影,以便您可以想象黑客将如何入侵您。
Remember, filter input/output data server side . 记住, 过滤输入/输出数据服务器端 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.