[英]Check input and convert it to appropriate type to prevent XSS
Lets say I get "name" from a user and he enters <script>alert("you got xss!");</script>
假设我从用户那里得到“名字”并且他输入
<script>alert("you got xss!");</script>
But on the server I convert: name= name_from_frontend.toString();
但在我转换的服务器上:
name= name_from_frontend.toString();
before saving it to db. 在将其保存到db之前。
Similarly, I check for int using parseInt()
同样,我
int using parseInt()
检查int using parseInt()
float using parseFloat()
boolean using typeof(variable_name)
and so on. boolean using typeof(variable_name)
等。
Is there still a need of escaping <
, &
and other characters as mentioned by OWASP to prevent XSS? 是否还需要转出OWASP提到的
<
, &
和其他字符来阻止XSS?
Calling toString()
on a string type doesn't help. 在字符串类型上调用
toString()
没有帮助。 You probably need to strip evil tags such as script
, etc. 您可能需要删除诸如
script
等的恶意标记。
Most server-side languages such as python ( https://pypi.python.org/pypi/bleach ), php ( strip_tags()
), etc have function libraries focused on cleanup evil markup so you can safely use that input later. 大多数服务器端语言(如python( https://pypi.python.org/pypi/bleach ),php(
strip_tags()
)等都具有专注于清理恶意标记的函数库,因此您可以在以后安全地使用该输入。
If you want a JS solution you should check https://www.npmjs.com/package/sanitize-html , which does the job but is intended for use with Node. 如果你想要一个JS解决方案,你应该检查https://www.npmjs.com/package/sanitize-html ,它可以完成这项工作但是打算用于Node。 Example:
例:
clean = sanitizeHtml(dirty, {
allowedTags: [ 'b', 'i', 'em', 'strong', 'a' ],
allowedAttributes: {
'a': [ 'href' ]
}
});
Enapupe is broadly correct, but the part of his answer which says You probably need to strip evil tags such as script, etc.
- is not very clear. Enapupe大致正确,但他的答案部分说
You probably need to strip evil tags such as script, etc.
- 不是很清楚。
The correct statement would be - You absolutely have to remove XSS using OWASP guidelines , converting to string or not converting to string will not make a difference ! 正确的陈述是 - 你绝对必须使用OWASP指南删除XSS,转换为字符串或不转换为字符串不会有所作为 !
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.