防止XSS攻击仍然使用Html.Raw
[英]Prevent XSS attacks and still use Html.Raw
问题描述
I have CMS system where I am using CK Editor to enter data. 
我有CMS系统,我使用CK编辑器输入数据。 Now if user types in <script>alert('This is a bad script, data');</script> then CKEditor does the fair job and encodes it correctly and passes <script>alert('This is a bad script, data')</script> 现在,如果用户输入<script>alert('This is a bad script, data');</script>那么CKEditor会完成公平的工作并正确编码并传递<script>alert('This is a bad script, data')</script> to server. 到服务器。
But if user goes into browser developer tools (using Inspect element) and adds this inside it as shown in the below screen shot then this is when all the trouble starts. 但是如果用户进入浏览器开发人员工具(使用Inspect元素)并将其添加到其中,如下面的屏幕截图所示,那么这就是所有麻烦开始的时候。 Now after retrieving back from DB when this is displayed in Browser it presents alert box. 现在在从DB中检索回来后,它在浏览器中显示它会显示警告框。
So far I have tried many different things one them is 到目前为止,我已经尝试了很多不同的东西
- Encode the contents using AntiXssEncoder [
HttpUtility.HtmlEncode(Contents)] and then store it in database and when displaying back in browser decode it and display it using MvcHtmlString.Create [MvcHtmlString.Create(HttpUtility.HtmlDecode(Contents))] or Html.Raw [Html.Raw(Contents)] as you may expect both of them displays JavaScript alert.使用AntiXssEncoder [ HttpUtility.HtmlEncode(Contents)]对内容进行编码,然后将其存储在数据库中,当在浏览器中显示后对其进行解码并使用MvcHtmlString.Create [MvcHtmlString.Create(HttpUtility.HtmlDecode(Contents))]或Html进行显示。 Raw [Html.Raw(Contents)]正如您所期望的那样,它们都显示JavaScript警报。
I don't want to replace the <script> manually thru code as it is not comprehensive solution (search for "And the encoded state:"). 我不想手动替换<script>代码,因为它不是全面的解决方案 (搜索“和编码状态:”)。
So far I have referred many articles (sorry not listing them all here but just adding few as proof to show I have put sincere efforts before writing this question) but none of them have code which shows the answer. 到目前为止,我已经提到了许多文章(抱歉没有在这里列出所有文章,但只是添加了一些作为证明我在写这个问题之前付出了真诚努力的证据)但是没有一个代码能够显示答案。 May be there is some easy answer and I am not looking in right direction or may be it is not that simple at all and I may need to use something like Content Security Policy . 可能有一些简单的答案,我不是在寻找正确的方向,或者可能不是那么简单,我可能需要使用内容安全策略之类的东西。
ASP.Net MVC Html.Raw with AntiXSS protection Is there a risk in using @Html.Raw? 具有AntiXSS保护的ASP.Net MVC Html.Raw 使用@ Html.Raw存在风险吗? http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/ http://blog.michaelckennedy.net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/ http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/ http://blog.michaelckennedy.net/2012/10/15/understanding-text-编码在-ASP净MVC /
To reproduce what I am saying go to * this url and in the text box type <script>alert('This is a bad script, data');</script> and click the button. 要重现我所说的,请转到* 此URL并在文本框中键入<script>alert('This is a bad script, data');</script>并单击按钮。
*This link is from Michael Kennedy's blog *此链接来自Michael Kennedy的博客
2 个解决方案
解决方案1
3 2015-07-16 20:45:11
It isn't easy and you probably don't want to do this. 这并不容易,你可能不想这样做。 May I suggest you use a simpler language than HTML for end user formatted input? 我建议您使用比HTML更简单的语言来进行最终用户格式化输入吗? What about Markdown which (I believe) is used by Stackoverflow . 关于降价什么这(我相信)是通过使用#1 。 Or one of the existing Wiki or other lightweight markup languages ? 或者现有的Wiki或其他轻量级标记语言之一 ?
If you do allow Html, I would suggest the following: 如果你允许Html,我会建议如下:
- only support a fixed subset of Html 只支持固定的Html子集
- after the user submits content, parse the Html and filter it against a whitelist of allowed tags and attributes. 在用户提交内容之后,解析Html并根据允许的标签和属性的白名单对其进行过滤。
- be ruthless in filtering and eliminating anything that you aren't sure about. 在过滤和消除任何你不确定的事情时要无情。
There are existing tools and libraries that do this. 有现成的工具和库可以做到这一点。 I haven't used it, but I did stumble on http://htmlpurifier.org/ . 我没有用它,但我在http://htmlpurifier.org/上偶然发现了 。 I assume there are many others. 我想还有很多其他的。 Rick Strahl has posted one example for .NET, but I'm not sure if it is complete. Rick Strahl已经发布了.NET的一个例子 ,但我不确定它是否完整。
About ten years ago I attempted to write my own whitelist filter. 大约十年前,我试图编写自己的白名单过滤器。 It parsed and normalized the entered Html. 它解析并规范化输入的Html。 Then it removed any elements or attributes that were not on the allowed whitelist. 然后,它删除了不在允许的白名单上的任何元素或属性。 It worked pretty well, but you never know what vulnerabilities you've missed. 它工作得很好,但你永远不知道你错过了哪些漏洞。 That project is long dead, but if I had to do it over I would have used an existing simpler markup language rather than Html. 该项目早已死亡,但如果我不得不这样做,我会使用现有的更简单的标记语言而不是Html。
There are so many ways for users to inject nasty stuff into your pages, you have to be fierce to prevent this. 用户有很多方法可以在页面中注入令人讨厌的东西,你必须要凶狠地防止这种情况发生。 Even CSS can be used to inject executable expressions into your page, like: 甚至可以使用CSS将可执行表达式注入页面,例如:
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
Here is a page with a list of known attacks that will keep you up at night. 这是一个包含已知攻击列表的页面 ,可以让你夜不能寐。 If you can't filter and prevent all of these, you aren't ready for untrusted users to post formatted content viewable by the public. 如果您无法过滤并阻止所有这些,则您尚未准备好让不受信任的用户发布公众可查看的格式化内容。
Right around the time I was working on my own filter, MySpace (wow I'm old) was hit by an XSS Worm known as Samy . 就在我自己的过滤器工作的时候,MySpace(哇我老了)被称为Samy的XSS蠕虫击中。 Samy used Style attributes with embedded background Url that had a javascript payload. Samy使用具有javascript有效负载的嵌入式背景Url的Style属性。 It is all explained by the author . 这一切都由作者解释 。
Note that your example page says: 请注意,您的示例页面显示 :
This page is meant to accept and display raw HTML by trusted editors.
The key issue here is trust. 这里的关键问题是信任。 If all of your users are trusted (say employees of a web site), then the risk here is lower. 如果您的所有用户都是可信任的(例如网站的员工),那么此处的风险就会降低。 However, if you are building a forum or social network or dating site or anything that allows untrusted users to enter formatted content that will be viewable by others, you have a difficult job to sanitize Html. 但是,如果您正在构建论坛或社交网络或约会网站或任何允许不受信任的用户输入其他人可以查看的格式化内容的内容,那么您很难对Html进行清理。
解决方案2
1 2017-05-12 15:23:31
I managed to resolve this issue using the HtmlSanitizer in NuGet: 我设法使用NuGet中的HtmlSanitizer解决了这个问题:
https://github.com/mganss/HtmlSanitizer https://github.com/mganss/HtmlSanitizer
as recommended by the OWASP Foundation (as good a recommendation as I need): 根据OWASP基金会的建议(作为我需要的推荐):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
First, add the NuGet Package: 首先,添加NuGet包:
> Install-Package HtmlSanitizer
Then I created an extension method to simplify things: 然后我创建了一个扩展方法来简化事情:
using Ganss.XSS;
...
public static string RemoveHtmlXss(this string htmlIn, string baseUrl = null)
{
if (htmlIn == null) return null;
var sanitizer = new HtmlSanitizer();
return sanitizer.Sanitize(htmlIn, baseUrl);
}
I then validate within the controller when the HTML is posted: 然后我在发布HTML时在控制器内进行验证:
var cleanHtml = model.DodgyHtml.RemoveHtmlXss();
AND for completeness, sanitise whenever you present it to the page, especially when using Html.Raw(): 并且为了完整性,每当您将其呈现给页面时进行清理,尤其是在使用Html.Raw()时:
<div>@Html.Raw(Model.NotSoSureHtml.RemoveHtmlXss())</div>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.