简体繁体 English

在包含富文本编辑器的HTML小节中限制Javascript

[英]Restrict Javascript in subsection of HTML containing rich-text editor

原文 2018-09-05 04:11:13 1 1 javascript/ html/ xss/ rich-text-editor

I'm working on a legacy web app that uses both the rich-text summernote editor , which can save formatted notes to our server, as well as a lot of instances of in-line Javascript. 我正在使用一个旧的Web应用程序，该应用程序使用富文本的summernote编辑器（可以将格式化后的注释保存到我们的服务器）以及许多嵌入式 Javascript实例。

Summernote can permit writing HTML/CSS/JS via it's "code" view, but doesn't seem to have any built-in support for preventing XSS. Summernote可以允许通过“代码”视图编写HTML / CSS / JS，但是似乎没有内置的支持来防止XSS。 If you go to their homepage for instance, go to code-view for the editor, and write <script>alert(0)</script> and turn it back to text-view, it will execute the script. 例如，如果转到他们的主页，请转到编辑器的代码视图，然后编写<script>alert(0)</script>并将其返回到文本视图，它将执行该脚本。 We want users to be able to do things like bold content, insert hyperlinks & images, etc, but no JS or probably even CSS. 我们希望用户能够执行诸如加粗内容，插入超链接和图像等操作，但不能使用JS甚至CSS。

We've just discovered the developer who originally implemented XSS protection for these editors in the app did a bit of a weak job, and are now trying to sure it up. 我们刚刚发现最初在应用程序中为这些编辑器实施XSS保护的开发人员的工作做得很差，现在正在尝试确定这一点。 Thus far, it seems my options are either: (a) creating/sourcing a whitelist which will parse the Summernote HTML and only allow certain HTML elements in the field; 到目前为止，似乎我的选择是： （a）创建/提供白名单，该白名单将解析Summernote HTML，并且只允许该字段中的某些HTML元素； and/or (b) implementing CSP headers and moving all in-line JS / CSS to separate files. 和/或（b）实现CSP标头并将所有内联JS / CSS移动到单独的文件中。

Given it's only these editors that need to be able to return valid HTML to users, the rest of the site we can and do fully sanitize content, is it possible to disable inline JS / CSS in only a section of an HTML page (Ie the area we load the editor's content to)? 鉴于只有这些编辑者才需要能够向用户返回有效的HTML，我们其余的网站都可以并且可以完全清除内容，是否有可能仅在HTML页面的一部分中禁用内联JS / CSS（即加载编辑器内容的区域）？ Or is that not an option / liable to be susceptible to workarounds? 还是这不是一种选择/易于解决？

Edit : Just as a note, I recognize that the rich-text editor can't prevent XSS if we're choosing to save content to the server, as it runs on the client-end. 编辑：谨记一下，我认识到，如果我们选择将内容保存到服务器（因为它在客户端上运行），则富文本编辑器无法阻止XSS。 I meant that I couldn't find resources / suggestions regarding HTML whitelists, or example sanitization for various servers via their site. 我的意思是我找不到有关HTML白名单的资源/建议，也找不到通过其站点对各种服务器进行清理的示例。

Edit 2 : Will definitely be implementing some sort of whitelist to be on the safe-side (possibly CSP as well, but refactoring will be a headache), but still want to know if this is possible: Ie between two sections of HTML, is it possible to block all inline JS & CSS? 编辑2 ：肯定会在安全方面实施某种白名单（可能也包括CSP，但重构将令人头疼），但仍想知道这是否可行：即HTML的两个部分之间是有可能阻止所有内联JS和CSS？

1 个解决方案

As I read in this note https://github.com/summernote/summernote/issues/1617 正如我在本说明中所读到的https://github.com/summernote/summernote/issues/1617

You have to validate at serverside anyway. 无论如何，您都必须在服务器端进行验证。 It's a funny behavior, I agree, but the user is allowed to do anything in his own browser. 我同意这是一种有趣的行为，但是允许用户在自己的浏览器中执行任何操作。 The only thing you (you, and not this package) should taker care of, is not letting users storing harmful code in your database (which is later displayed in other users browser) 您（而不是此程序包）需要照顾的唯一一件事就是不要让用户将有害代码存储在您的数据库中（以后将在其他用户的浏览器中显示）

So, basically you are in charge of what users are trying to put in your database or web page. 因此，基本上，您将负责用户试图在数据库或网页中输入的内容。 So you need to: 因此，您需要：

Make a "server-side" validation of the content (delete <script> tags with content, for example) 对内容进行“服务器端”验证（例如，删除具有内容的<script>标记）
Implementing a client-size sanitization (it does not prevent you to make a server-side validation) to help the user notify he is not allowed to include scripts. 实施客户端大小的清理（这不会阻止您进行服务器端验证），以帮助用户通知他不允许包括脚本。 This could be done while switching between code view and preview (See Summernote event for switch from code view to editor ) 这可以在代码视图和预览之间切换时完成（有关从代码视图切换到编辑器的信息，请参见Summernote事件）。