[英]Preventing Javascript XSS by replacing all the bracket characters
I'm using MongoDB for backend, which makes me believe I shouldn't be worried about XSS in my DB. 我将MongoDB用于后端,这使我相信我不必担心数据库中的XSS。
For the "frontend" I'm generating pages via JSP. 对于“前端”,我通过JSP生成页面。 Now, I'm religiously escaping user-generated content (which should be plain text - no Javascript or HTML tags), but I don't trust myself 100%. 现在,我虔诚地逃避了用户生成的内容(应该是纯文本,没有Javascript或HTML标记),但是我不相信自己100%。
After reading some pointers about XSS, I'm wondering whether the following hack would fail-proof my website. 在阅读了有关XSS的一些知识之后,我想知道以下黑客攻击是否会使我的网站失效。
When consuming user-generated input on the server side, I want to replace all the brackets in user-generated content , eg ()
by []
. 在服务器端使用用户生成的输入时,我想用[]
替换用户生成的内容中的所有方括号,例如()
。 And I want to replace all the <>
symbols by: single left-pointing angle quotation mark: ‹ single right-pointing angle quotation mark: › 我想将所有<>
符号替换为:单个左角引号:‹单个右角引号:›
Now, I'm assuming that without ()
and <>
it's pretty much impossible to write a piece of JavaScript XSS. 现在,我假设没有()
和<>
几乎不可能编写一段JavaScript XSS。
Will this hack work or am I missing something? 这个技巧会奏效还是我缺少什么?
You've stated or alluded to the following in the comments or question above, paraphrased: 在上面的评论或问题中,您已经表述或暗示了以下内容:
<div> tainted data here </div>
污染数据在div数据状态上下文中插入,例如: <div> tainted data here </div>
<script>$('#someid').populate($.parseJSON('<%=StringEscapeUtils.escapeEcmaScript(jsonString)%>'));</script>
污染数据在嵌套上下文中插入:JavaScript单引号/双引号→脚本数据状态: <script>$('#someid').populate($.parseJSON('<%=StringEscapeUtils.escapeEcmaScript(jsonString)%>'));</script>
StringEscapeUtils.escapeEcmaScript
for the aforementioned JavaScript contexts 您可以使用Apache的百科全书JavaScript字符串逃避者StringEscapeUtils.escapeEcmaScript
对于上述的JavaScript环境 <
and >
characters 您将过滤出<
和>
字符 I don't see any way for XSS to occur given the above. 鉴于上述情况,我看不到XSS发生任何方式。 If you do not escape the <
and >
then your code might be susceptible to some weirdness regarding script data escape states. 如果不对 <
和>
进行转义,则您的代码可能会因脚本数据转义状态而有些奇怪 。 That weirdness could possibly lead to an XSS. 这种怪异可能导致XSS。
Instead of filtering, I recommend escaping the data using the Coverity Security Library Escape.jsString method, which escapes <
and >
. 建议不要使用Coverity Security Library Escape.jsString方法对数据进行转义,该方法转义<
和>
,而不是进行过滤。 (Full disclosure: I worked at Coverity and committed to that library.) (完全公开:我在Coverity工作,并致力于该库。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.