防止html中的xss onclick,onmouseout等对SPA
[英]Prevent xss in html onclick, onmouseout, … for SPA
问题描述
I'm using AngularJS and ASP.Net Web API 2 for my customer survey system. 
我将AngularJS和ASP.Net Web API 2用于我的客户调查系统。
My web use a wysiwyg component to help user inputs his/her data. 我的网络使用wysiwyg组件来帮助用户输入他/她的数据。 This is the html generated by my wysiwyg I'm using: 这是我使用的wysiwyg生成的html:
<h2 style="text-align: center;"><span style="text-decoration: underline;"><strong>Click here</strong></span><strong> to start using the </strong><strong><em>HTML editor online</em></strong></h2>
<p><span style="font-weight: 400;">Please</span><span style="font-weight: 400;"> try out the WYSIWYG HTML editor features found in the kitchen sink above to edit and format your text and images</span></p>
<p><span style="font-weight: 400;">You’ll see the content created in the WYSIWYG-HTML editor in source code format on the right.</span><br /><br /></p>
<p> </p>
<p><img onclick="alert('Hello world')" onmouseout="alert('Mouse out')" src="https://icon2.kisspng.com/20180416/ucw/kisspng-tanki-online-video-gaming-clan-world-of-tanks-avat-joker-5ad4b1028d0565.2188790515238883865776.jpg" alt="" width="260" height="260" /></p>
This is what I'm doing on API for encoding the html code above. 这就是我在对上面的html代码进行编码的API上所做的事情。
/// Encode submited html content
/// </summary>
/// <returns></returns>
[Route("encode")]
[HttpPost]
public IHttpActionResult Encode([FromBody] EncodeViewModel httpContent)
{
if (httpContent == null)
{
httpContent = new EncodeViewModel();
Validate(httpContent);
}
if (!ModelState.IsValid)
return BadRequest(ModelState);
var encodedHtmlContent= HttpUtility.HtmlEncode(httpContent.HtmlContent);
// Save content to database here.
return Ok(encodedHtmlContent);
}
When my front-end client load the encoded html and display to website page. 当我的前端客户端加载编码的html并显示到网站页面时。 I want that there will be no message Hello world or Mouse out displayed when I click on the image. 我希望当我单击图像时,不会显示消息Hello world或Mouse out 。
That means, I only allow text, images, videos to be displayed, but don't allow inline code in the content. 这意味着,我只允许显示文本,图像,视频,但不允许在内容中使用内联代码。
Are there any solutions for this ? 有什么解决办法吗?
Thank you, 谢谢,
1 个解决方案
解决方案1
1 已采纳 2018-07-29 20:23:12
To ensure that some piece of html is safe is hard ! 为了确保一些片html安全是很难 ! There are libraries to do html XSS filtering, but they are large and its still dangerous. 有一些库可以进行html XSS过滤,但是它们很大,仍然很危险。 Thats why there are things like mobiledoc . 那就是为什么会有诸如mobiledoc之类的东西 。 In general I would recommend you to not use HTML as your WYSIWYG output , then you dont have to escape it. 通常,我建议您不要将HTML用作所见即所得的输出 ,然后就不必对其进行转义。 Rather use something else and generate the HTML from it. 而是使用其他内容并从中生成HTML。 Then you can be sure you dont generate dangerous HTML. 然后,您可以确保不会生成危险的HTML。 Still be careful if you do simple string concatenations. 如果执行简单的字符串连接,仍要小心。
This is why we have things like BB-Code or wiki markup or mobiledoc. 这就是为什么我们有诸如BB代码或Wiki标记或mobiledoc之类的原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.