堆栈内存溢出
  简体   繁体   English

使用windows.location.href时的跨站点脚本

[英]Cross site scripting when using windows.location.href

 原文  2019-01-28 08:36:06       javascript/ model-view-controller/ cross-domain/ url-redirection/ x-xsrf-token

问题描述

I am using Windows.location.href=URl to navigate to MVC controller method from java script. 我正在使用Windows.location.href = URl从Java脚本导航到MVC控制器方法。 I want to avoid any XSS attack when redirecting. 我想避免重定向时发生任何XSS攻击。 what should i do 我该怎么办

2 个解决方案

解决方案1
 0  2019-01-28 09:07:30

You can write your own XSS sanitising function 您可以编写自己的XSS清理功能 

function encodeHTML(s) {
    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
}

window.location.href = encodeHTML(URI);

解决方案2
 0  2019-01-28 09:17:46

It should be very easy. 应该很容易。 I have ready made solution for you. 我已经为您准备了解决方案。 First of all some theoritical understanding 首先是一些理论上的理解

RULE #0 - Never Insert Untrusted Data Except in Allowed Locations 规则#0-切勿在允许的位置插入非信任数据 

<script>...NEVER PUT UNTRUSTED DATA HERE...</script>   directly in a script

<style>...NEVER PUT UNTRUSTED DATA HERE...</style>   directly in CSS

RULE #1 - HTML and JavaScript Escape Before Inserting Untrusted Data into HTML Element Content 规则#1-在将不受信任的数据插入HTML元素内容之前,先转义HTML和JavaScript

HTML ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE... JS HTML ...在此处放置之前,ESCAPE解压缩了数据... JS 

<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>     inside a quoted string

Escaping as in 转义为 

& --> &amp;
 < --> &lt;
 > --> &gt;
 " --> &quot;
 ' --> &#x27;     &apos; not recommended because its not in the HTML spec (See: section 24.4.1) &apos; is in the XML and XHTML specs.
 / --> &#x2F;     forward s

lash is included as it helps end an HTML entity 包含了睫毛,因为它有助于结束HTML实体

Ensure returned Content-Type header is application/json and not text/html. 确保返回的Content-Type标头为application / json,而不是text / html。

Coming to the coding portion 来到编码部分

Following would help you 追踪将对您有帮助 

private String killXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);

            // Avoid null characters
            value = value.replaceAll("", "");

            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }

Make sure every request you are sending to server is stripped through above mentioned code and you will never be victim of XSS. 确保发送到服务器的每个请求都被上述代码剥离,并且您永远不会成为XSS的受害者。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 尝试使用windows.location.href时,$ _ POST [&#39;&#39;]的值会丢失 - When trying to use windows.location.href , the values of $_POST[''] is lost 如何在同一页面上使用windows.location.href将js值传递给php时停止刷新页面 - How to stop refreshing page when passing js value to php using windows.location.href on the same page windows.location.href不起作用 - windows.location.href doesn't work windows.location.href无法在Firefox3上运行 - windows.location.href not working on Firefox3 如何在javascript中保护location.href免受跨站点脚本的影响? - how to protect location.href from cross site scripting in javascript? 防止 window.location.href 的跨站点脚本 - Preventing cross site scripting for window.location.href 使用windows.location.href(PHP)获取数据复选框 - Get data Checkbox with windows.location.href (PHP) 在处理MutationObserver突变事件时,windows.location.href发生了变化 - windows.location.href changes while handelng MutationObserver mutation events 如果在页面中找到单词“ Cheese”,则更改了windows.location.href目录的jQuery代码 - jQuery code that changed the windows.location.href directory if the word 'Cheese' found in the page 使用 html 实体执行跨站脚本 - Executing cross site scripting using html entity
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM