使用CSS可以使我的网站受到攻击吗?
[英]Can this use of CSS open my site to an attack?
问题描述
To allow my users to pick their colour scheme of my site, I decided to add a "Settings" page that lets them pick their colours. 
为了允许用户选择自己网站的配色方案,我决定添加一个“设置”页面,让他们选择自己的颜色。 The simplest way to choose a colour that I could think of was to let them type a colour's name, and have the text they enter fed directly into the CSS of the elements. 我想到的最简单的选择颜色的方法是让他们键入颜色的名称,然后将输入的文本直接输入到元素的CSS中。 This code shows the idea. 这段代码说明了这个想法。
var saveButton = document.getElementById('saveButton'); var saveBox = document.getElementById('textToSave'); var colourBox = document.getElementById("colourBox"); saveButton.onclick = function() { colourBox.style.backgroundColor = saveBox.value; }
#colourBox { display: inline-block; background-color: grey; height: 100px; width: 100px; } input { margin: 0px; } input, Button { height: 30px; font-size: 15px; margin-left: 10px; margin-right: 10px }
<input id="textToSave" type="text"> <button id="saveButton">Save</button> <br> <div id="colourBox"></div>
Since I'm directly feeding user input into the element though, I'm worried this might open my site up to an injection attack. 由于我将用户输入直接输入到元素中,因此我担心这可能会使我的网站遭受注入攻击。
I know very little about exploits though. 我对漏洞利用知之甚少。 The best I could do to attempt an injection attack was to enter the following "colour" into the text box: 我尝试进行注射攻击的最佳方法是在文本框中输入以下“颜色”:
yellow; width: 200px;
But the second statement was dropped, likely because I'm specifying in the JavaScript that I'm changing the background colour, and not the style in general. 但是第二条语句被删除了,可能是因为我在JavaScript中指定要更改背景颜色,而不是通常的样式。
Is the above fiddle susceptible to an injection attack? 上述小提琴是否容易受到注射攻击?
3 个解决方案
解决方案1
1 已采纳 2015-12-29 17:02:27
I think this should be safe. 我认为这应该是安全的。 You're not assigning to the style attribute in general, you're assigning specifically to element.style.backgroundColor . 通常,您没有分配style属性,而是专门分配了element.style.backgroundColor 。 This doesn't get re-parsed as HTML or a CSS style string. 不会将其重新解析为HTML或CSS样式字符串。
If it's not a valid color specification, it will just be ignored. 如果它不是有效的颜色规范,它将被忽略。
Note that this would not be entirely safe if you were doing this with an attribute that allows URLs, such as background-image . 请注意,如果您使用允许URL的属性(例如background-image进行此操作,则并非绝对安全。 The user could then enter the URL for any remote site, and execute code there. 然后,用户可以输入任何远程站点的URL,并在那里执行代码。 This might allow for some kinds of XSS exploits. 这可能允许使用某些XSS漏洞。
解决方案2
1 2015-12-29 17:03:09
使用<input type="color" />
解决方案3
0 2015-12-29 17:03:26
Since JavaScript and CSS run on client side (browser), it can not be used to attack to your website back-end. 由于JavaScript和CSS在客户端(浏览器)上运行,因此不能用于攻击您的网站后端。 The worst case is that a user breaks his own view, but a page/browser refresh will undo the bad view. 最坏的情况是用户中断了自己的视图,但是刷新页面/浏览器将撤消错误的视图。 I hope this addresses your question. 我希望这能解决您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.