[英]Escaped Script tag inside a Select box option (Chrome)
I have an HTML page which contains a dropdownlist . 我有一个HTML页面,其中包含一个dropdownlist。
<html>
<body>
<select>
<option >1</option>
<option >2</option>
<option >3</option>
<option ><script>alert('XSS')</script></option>
</select>
</body>
</html>
In Chrome the select box won't open. 在Chrome中,选择框不会打开。
When I open it in FireFox, the dropdownlist opens, but in Chrome it does not. 当我在FireFox中打开它时,下拉列表会打开,但在Chrome中不会。
Fiddle link : http://jsfiddle.net/nghiadthp/3mpmkfr8/ 小提琴链接: http : //jsfiddle.net/nghiadthp/3mpmkfr8/
Chrome has a feature that can be turned off by setting this flag in your Chrome (icon) > Properties Target path: Chrome具有可以通过在Chrome(图标)>属性目标路径中设置此标志来关闭的功能:
...ome.exe" --disable-web-security
Despite that , what you're trying will suffer from this goods: 尽管如此 ,你想将这个产品遭受什么:
https://developer.chrome.com/extensions/contentSecurityPolicy https://developer.chrome.com/extensions/contentSecurityPolicy
CSP Level 2 offers backward compatibility for inline scripts by allowing you to whitelist specific inline scripts using either a cryptographic nonce (number used once) or a hash CSP 2级通过允许您使用加密随机数(使用一次的数字)或哈希将特定的内联脚本列入白名单,从而为内联脚本提供了向后兼容性。
So you might want probably to create a .json manifest with "unsafe-inline"
property that has that exact (unescaped) script
converted in SHA256 因此,您可能想要创建一个具有"unsafe-inline"
属性的.json 清单 ,该清单具有在SHA256中转换的准确(未转义) script
<script>alert('XSS')</script> // >> convert it to SHA256
Content-Security-Policy: script-src 'sha256-sha256-41f152968d8d75de3055b59b194f3a5a993b65b06c1586d7dda9d73be115271d' 内容安全性政策:script-src'sha256-sha256-41f152968d8d75de3055b59b194f3a5a993b65b06c1586d7dda9d73be115271d'
or using a nonce
property: 或使用nonce
属性:
<script nonce=a3afdc68d2731d5187f58e833610c951>alert('XSS')</script>
must match your manifest's script-src: 必须与清单的script-src相匹配:
Content-Security-Policy: script-src 'nonce-a3afdc68d2731d5187f58e833610c951' 内容安全政策:script-src'nonce-a3afdc68d2731d5187f58e833610c951'
https://developer.chrome.com/extensions/contentSecurityPolicy https://developer.chrome.com/extensions/contentSecurityPolicy
https://developer.chrome.com/extensions/manifest https://developer.chrome.com/extensions/manifest
https://w3c.github.io/webappsec/specs/content-security-policy/ https://w3c.github.io/webappsec/specs/content-security-policy/
http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://www.html5rocks.com/en/tutorials/security/content-security-policy/
So Chrome will not allow you to perform as you might expect with inline script
s 因此,Chrome不允许您使用内联script
执行预期的操作
(test using <span>
and it'll work!) without you knowing exactly the madness you're doing. (使用<span>
,它将起作用!),而无需您完全知道自己所做的疯狂。
BTW, no element is allowed into option
tag, escaped or not, so Chrome is really smart about it. 顺便说一句, option
标签中不允许有任何元素(无论是否转义),因此Chrome真的很聪明。 Specially regarding XSS prevention. 特别是关于XSS预防。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.