将加密的数据发送到服务器时,Javascript中的XSS
[英]XSS in Javascript when sending encrypted data to server
问题描述
What is the best way of input sanitisation in Javascript when dealing with encrypted data? 
处理加密数据时,Javascript中输入清除的最佳方法是什么? Lets say Bob enters the malicius code in the form instead of the regular message, my JS enrypts it with RSA and sends to server where the message waits for Alice to retrieve it. 可以说,鲍勃以格式而不是常规消息的形式输入了malicius代码,我的JS用RSA加密了它,然后发送到服务器,消息在此等待爱丽丝检索它。 After decryption on Alice computer the malicious code steals some important secret from LocalStorage for example. 例如,在Alice计算机上解密后,恶意代码会从LocalStorage窃取一些重要秘密。
Am I right the only way is to check if the message contains some bad code right after decryption? 我唯一正确的方法是在解密后立即检查消息是否包含一些错误代码吗? Maybe allow only alphanumeric charachters with some other basic ones to be allowed and when decrypted message contains anything else just stop script from running and erase the msg from memory? 也许只允许使用字母数字字符和其他一些基本字符,并且当解密的消息包含其他内容时,只是停止运行脚本并从内存中清除味精?
1 个解决方案
解决方案1
0 已采纳 2015-01-09 18:16:25
I think the best solution here is not to sanitize Bob's input, but sanitize it before displaying to Alice . 我认为这里最好的解决方案不是清理Bob的输入,而是在显示给Alice之前清理它。 Thus even if there is some malicious code entered by Bob, it will never get executed before displaying. 因此,即使Bob输入了一些恶意代码,也不会在显示之前执行任何恶意代码。
So, just do something like this: 因此,只需执行以下操作:
- Bob enters malicious message and encrypts it via RSA. 鲍勃输入恶意消息并通过RSA对其进行加密。
- Message is sent to server 消息发送到服务器
- Alice retrieves her message, decodes it and performs message sanitizing before displaying . 爱丽丝检索她的消息,对其进行解码并在显示之前执行消息清理 。 Even simple replacement of quotes (
"and') and brackets (<and>) with appropriate HTML entities (",<etc) by JavaScript before displaying the decrypted message is enough to keep Alice safe from XSS.甚至在显示解密的消息之前,用JavaScript用适当的HTML实体( ",<等)简单地替换引号("和')和方括号(<和>),也足以使Alice免受XSS的侵害。
Thus the code will not steal anything from Alice. 因此,该代码不会从Alice那里窃取任何东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.