Javascript数据中的XSS
[英]XSS Within Javascript Data
问题描述
While working on a webapp, I discovered that upon bootstrapping your application, dangerous characters can actually exist within the initial data: 
在使用Web应用程序时,我发现在引导应用程序时,初始数据中实际上可能存在危险字符:
<body>
<script>
var users = [
{ id: 1, bio: 'My beautiful bio' },
{ id: 2, bio: '</script><script>alert("hello")</script>' }
]
</script>
</body>
This was news to me, as I always thought that since the XSS attack exists within the JavaScript, it would be recognized as just a string and would not be dangerous until you actually go to render it within the DOM, but sure enough, that code above is an effective attack. 这对我来说是个新闻,因为我一直认为,由于XSS攻击存在于JavaScript中,因此它会被识别为只是一个字符串,并且直到您真正在DOM中进行渲染才算危险,但可以肯定的是,该代码以上是有效的攻击。
If I'm understanding correctly, to bootstrap an app with some starter data then, you should translate all/any characters into their respected HTML entities on the server-side, then translate them back into their original characters in order to prevent double escaping upon rendering into the DOM? 如果我理解正确,那么要使用一些入门数据引导应用程序,则应将所有字符转换为服务器端受尊重的HTML实体,然后将其转换回其原始字符,以防止再次转义渲染到DOM中? Why doesn't the parser just treat it as a string since it's wrapped in quotes and exists within a script? 解析器为什么不将其视为字符串,因为它用引号引起来并且存在于脚本中?
JSFiddle: http://jsfiddle.net/5hgk7eux/ JSFiddle: http : //jsfiddle.net/5hgk7eux/
1 个解决方案
解决方案1
4 已采纳 2015-02-04 16:37:34
What you've posted is two <script> blocks. 您发布的是两个<script>块。 The first one will fail with a syntax error, and the second one will run the alert() . 第一个将因语法错误而失败,第二个将运行alert() 。 Here's the first script: 这是第一个脚本:
<script>
var users = [
{ id: 1, bio: 'My beautiful bio' },
{ id: 2, bio: '</script>
And here's the second one: 这是第二个:
<script>alert("hello")</script>
The appearance of the string </script> ends a script block regardless of the JavaScript context it appears in. 字符串</script>结束了脚本块,无论它出现在JavaScript上下文中如何。
As to your broader question, yes, you have to sanitize user-supplied text when including it in a JavaScript context. 关于更广泛的问题,是的,当将用户提供的文本包含在JavaScript上下文中时,必须对其进行清理。 The simplest way to do that is to use a JSON encoder. 最简单的方法是使用JSON编码器。 JSON encoders generally include / in the list of characters that must be quoted with \\ inside JavaScript string constants. JSON编码器通常在JavaScript字符串常量内的字符列表中包含/ ,必须用\\引号。 That feature would have protected you because </script> would be rendered as <\\/script> . 该功能将保护您,因为</script>将呈现为<\\/script> 。
Any JSON expression is a valid JavaScript object initializer string (or, if a JSON encoder is asked to encode a primitive string, a valid string constant). 任何JSON表达式都是有效的JavaScript对象初始化程序字符串(或者,如果要求JSON编码器对原始字符串进行编码,则是有效的字符串常量)。
Finally, always applying HTML encoding is definitely not what you should do if you want your application to work properly. 最后,如果您希望应用程序正常运行,那么绝对不应该始终应用HTML编码。 The type of sanitization that must be applied to user-supplied text depends on the syntax of the parser to which it's being fed. 必须对用户提供的文本应用的清理类型取决于解析器所接收的语法。 You apply different sanitization for SQL, for server-side log files, for HTML, and for JavaScript. 您对SQL,服务器端日志文件,HTML和JavaScript应用了不同的清理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.