在Node.js / express中将对象安全地传递给客户端
[英]Safely pass object to client in Node.js/express
问题描述
A common question is how to pass an object from Node.js/Express.js to the browser. 
一个常见的问题是如何将对象从Node.js / Express.js传递到浏览器。 It's possible to do that using JSON stringify, but if the object contains user-provided data, that can open the door to script-injection and possibly other attacks. 可以使用JSON字符串化来执行此操作,但是如果对象包含用户提供的数据,则可以打开脚本注入和其他攻击途径。
Is there a downside to the approach mentioned in this link using Base64? 使用Base64的此链接中提到的方法是否有缺点?
https://stackoverflow.com/a/37920555/645715 https://stackoverflow.com/a/37920555/645715
Related links: 相关链接:
Passing an object to client in node/express + ejs? 在node / express + ejs中将对象传递给客户端?
How to pass a javascript object that contains strings with quotes from node.js to the browser? 如何将包含带引号的字符串的JavaScript对象从node.js传递到浏览器?
Pass a NodeJS express object to AngularJS 1.6 将NodeJS Express对象传递给AngularJS 1.6
Passing an object to client in node/express + ejs? 在node / express + ejs中将对象传递给客户端?
1 个解决方案
解决方案1
2 已采纳 2018-08-17 03:54:01
Using Base64 encoding does solve the immediate problem of passing back an injection attack, but it doesn't necessarily solve the issue of having a possible injection attack floating around out there. 使用Base64编码确实解决了传递注入攻击的紧迫问题,但是并不一定解决可能存在的注入攻击浮出水面的问题。 For example, this fiddle shows that it does prevent the immediate issue : https://jsfiddle.net/9prhkx74/ 例如,此小提琴表明它确实防止了当前问题: https : //jsfiddle.net/9prhkx74/
var test2 = JSON.parse(window.atob('PC9zY3JpcHQ+PHNjcmlwdD5hbGVydCgndGVzdDInKTwvc2NyaXB0PjxzY3JpcHQ+'));
This won't show an alert box, it'll just throw an error about invalid JSON. 这不会显示警报框,只会引发有关无效JSON的错误。 But if you change it to the literal string, it'll show the alert box (injection vulnerable) 但是,如果将其更改为文字字符串,则会显示警报框(容易注入)
var test2 = JSON.parse("</script><script>alert('test2')</script><script>")
Now if you are immediately parsing it to a JSON object, it'll blow up, and everything will be "safe". 现在,如果您立即将其解析为JSON对象,它将被炸毁,一切都会变得“安全”。 But if you assign it to a value because you are going to pass it around some more etc, you still have a potential issue out there. 但是,如果由于将其传递给其他值而将其分配给某个值,则仍然存在潜在的问题。
Instead of putting a bandaid on the injection itself, I'd suggest fixing it in the first place and properly escaping data before passing it back to the client or processing it on the server side. 建议不要首先对注入本身施加创可贴,而首先建议对其进行修复并适当地转义数据,然后再将其传递回客户端或在服务器端进行处理。
There are plenty of libraries that can help do this 有很多库可以帮助您做到这一点
https://www.npmjs.com/package/sanitize https://www.npmjs.com/package/express-sanitizer https://www.npmjs.com/package/sanitize https://www.npmjs.com/package/express-sanitizer
Here's a pretty good article that kind of highlights why it is important to sanitize and not just just patch over potentially malicious data : https://lockmedown.com/5-steps-handling-untrusted-node-js-data/ 这是一篇非常不错的文章,强调了为什么重要的是进行清理,而不仅仅是修补潜在的恶意数据: https : //lockmedown.com/5-steps-handling-untrusted-node-js-data/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.