简体繁体 English

XSS 攻击，多重 html 清理

[英]XSS attacks, multiple html sanitization

原文 2018-07-15 18:19:59 7 2 html/ database/ security/ xss

I'm working on a web service project, where I display some data obtained from database, which in turn is made of users' inputs.我正在处理一个 Web 服务项目，在该项目中我显示了从数据库中获取的一些数据，而这些数据又由用户的输入组成。 Of course I want to prevent my application from being vulnerable to XSS attacks, so obviously I sanitize the input from html special characters.当然，我想防止我的应用程序容易受到 XSS 攻击，所以很明显我清理了来自 html 特殊字符的输入。 But I have a following problem - data returned from the server is in form < (in this example case for '<' sign), and on the front end the second sanitization process occurs, making it <, which is totally incomprehensible by the web browser.但是我有以下问题 - 从服务器返回的数据格式为 <（在本例中为 '<' 符号），并且在前端发生了第二个清理过程，使其 <，这对于网页浏览器。 Is there a simple way to get over it, or maybe I should sanitize inputs only in one place (I presume that the server would be the best option).有没有一种简单的方法来克服它，或者我应该只在一个地方清理输入（我认为服务器将是最好的选择）。

Thanks for all answers.感谢所有的答案。

2 个解决方案

You can't reliably sanitize user input.您无法可靠地清理用户输入。 It's a losing battle.这是一场失败的战斗。 As soon as you think you've filtered out all the "bad" characters, someone will pass in an escape sequence or something else unexpected一旦你认为你已经过滤掉了所有的“坏”字符，就会有人传入一个转义序列或其他意想不到的东西

If you're using a database server, make sure all input is handled by pre-compiled stored procedures, and make sure that the user that the web app logs in as, only has EXECUTE perms.如果您使用的是数据库服务器，请确保所有输入都由预编译的存储过程处理，并确保 Web 应用程序登录的用户只有 EXECUTE 权限。 This prevents SQL injection and other mischief.这可以防止 SQL 注入和其他恶作剧。

If you're worried about actual characters, make sure you have a "pass through OK characters" filter and not a "remove bad characters" filter.如果您担心实际字符，请确保您有“通过 OK 字符”过滤器而不是“删除坏字符”过滤器。 The number of "good characters" is finite, while the number of attack vectors is infinite. “好角色”的数量是有限的，而攻击向量的数量是无限的。

As for your question about "<" characters, if the intended output is for user display, you can run the entire string through HttpServerUtility.HtmlEncode or it's equivalent in whatever language you use.至于您关于“<”字符的问题，如果预期输出用于用户显示，您可以通过 HttpServerUtility.HtmlEncode 运行整个字符串，或者在您使用的任何语言中都等效。 This will convert the string into code that will display properly in the browser but not be interpreted.这会将字符串转换为可以在浏览器中正确显示但不会被解释的代码。

It doesn't look like you're having a problem escaping it, it looks like you're having a problem deciding if you need to escape it.看起来您在逃避它时没有问题，看起来您在决定是否需要逃避它时遇到了问题。 Pick a standard and stick with it, then convert as necessary.选择一个标准并坚持下去，然后根据需要进行转换。 If it normally comes in unescaped, just store it that way, and escape it when you want to display it.如果它通常是未转义的，只需以这种方式存储它，并在您想显示它时转义它。

The best way to sanitize untrusted data that is served back to a user in the context of XSSs for spring boot is to use a template engine that will suit your needs (eg JSP).清理在 Spring Boot 的 XSS 上下文中返回给用户的不可信数据的最佳方法是使用适合您需求的模板引擎（例如 JSP）。

Template engine will automatically generate HTML you need, escape it properly and insert the content in a required placeholder (if an issue with broken encoding occurs for async requests).模板引擎将自动生成您需要的 HTML，正确转义它并将内容插入所需的占位符中（如果异步请求出现编码损坏的问题）。 Be careful and check if a chosen engine does it by default or it needs a special directive to do so.小心并检查所选引擎是否默认执行或需要特殊指令来执行此操作。