XSS-OWASP HTML Sanitizer过滤器<form>
[英]XSS - OWASP HTML Sanitizer Filters <form>
问题描述
I'm using the Java OWASP HTML Sanitizer ( HtmlPolicyBuilder ) to clean HTML being rendered in my web app, provided by 3rd party services. 
我正在使用Java OWASP HTML Sanitizer ( HtmlPolicyBuilder )来清理由第三方服务提供的Web应用程序中呈现的HTML。
Using some of the out of the box options, I notice that <form> tags are removed. 使用一些开箱即用的选项,我注意到<form>标记已删除。 I understand that I can include them with allowElements("form") , but is there a good reason to not allow forms? 我知道我可以在allowElements("form")包含它们,但是是否有充分的理由不允许使用表单?
What sort of XSS attacks should I be thinking about when rendering others' forms on my website? 在网站上呈现其他人的表单时,我应该考虑什么样的XSS攻击?
For reference, my sanitization policy is: 供参考,我的消毒政策是:
new HtmlPolicyBuilder()
.allowCommonBlockElements()
.allowCommonInlineFormattingElements()
.allowStyling()
.allowStandardUrlProtocols()
.toFactory()
2 个解决方案
解决方案1
1 2016-05-11 08:28:59
One example is phishing. 网络钓鱼就是一个例子。 Display a username/password form, point the action parameter towards the attacker's web server, and trick users into believing they need to re-authenticate. 显示用户名/密码形式,将操作参数指向攻击者的Web服务器,并诱使用户认为他们需要重新进行身份验证。 Also if the users have autofill on, then the form could be automatically filled with username/password details. 同样,如果用户启用了自动填充功能,则可以使用用户名/密码详细信息自动填充表单。
解决方案2
1 2016-12-14 16:56:58
As Sean pointed out someone could successfully phish some info from your users. 正如肖恩(Sean)指出的那样,某人可以成功地从您的用户网上诱骗某些信息。 To add a bit more info though, using just those canned methods, you'll have a pretty restricted whitelist, but perhaps that's what you want. 但是,仅使用那些固定方法即可添加更多信息,您将拥有相当有限的白名单,但这也许正是您想要的。
The elements you'd allow would be: 您允许的元素是:
"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt", "code", "big", "small", "br", "span", "em", "p", "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li","blockquote". “ b”,“ i”,“字体”,“ s”,“ u”,“ o”,“ sup”,“ sub”,“ ins”,“ del”,“ strong”,“ strike”,“ tt” “,”代码“,”大“,”小“,” br“,”跨度“,” em“,” p“,” div“,” h1“,” h2“,” h3“,” h4“, “ h5”,“ h6”,“ ul”,“ ol”,“ li”,“ blockquote”。
allowStyling just allows the style attribute globally. allowStyling只允许全局使用style属性。 allowStandardUrlProtocols would allow urls with "http", "https", "mailto" protocols wherever you are referencing a url (a:href img:src q:cite etc..) but you don't allow any of these elements or attributes anyway so it's essentially useless. allowStandardUrlProtocols允许在引用URL的任何地方使用“ http”,“ https”,“ mailto”协议的URL(a:href img:src q:cite等。),但无论如何您都不允许任何这些元素或属性所以它实际上是没有用的。
You may want to spend time looking online at example whitelists (not just for OJHS) to get an idea of commonly allowed elements & attributes to better develop your whitelist. 您可能想花时间在网上查看示例白名单(不仅仅是OJHS),以了解常用元素和属性,以更好地开发白名单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.