[英]Cross site scripting when using windows.location.href
I am using Windows.location.href=URl to navigate to MVC controller method from java script. 我正在使用Windows.location.href = URl从Java脚本导航到MVC控制器方法。 I want to avoid any XSS attack when redirecting.
我想避免重定向时发生任何XSS攻击。 what should i do
我该怎么办
You can write your own XSS sanitising function 您可以编写自己的XSS清理功能
function encodeHTML(s) {
return s.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"');
}
window.location.href = encodeHTML(URI);
It should be very easy. 应该很容易。 I have ready made solution for you.
我已经为您准备了解决方案。 First of all some theoritical understanding
首先是一些理论上的理解
RULE #0 - Never Insert Untrusted Data Except in Allowed Locations 规则#0-切勿在允许的位置插入非信任数据
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
<style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
RULE #1 - HTML and JavaScript Escape Before Inserting Untrusted Data into HTML Element Content 规则#1-在将不受信任的数据插入HTML元素内容之前,先转义HTML和JavaScript
HTML ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE... JS HTML ...在此处放置之前,ESCAPE解压缩了数据... JS
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string
Escaping as in 转义为
& --> &
< --> <
> --> >
" --> "
' --> ' ' not recommended because its not in the HTML spec (See: section 24.4.1) ' is in the XML and XHTML specs.
/ --> / forward s
lash is included as it helps end an HTML entity 包含了睫毛,因为它有助于结束HTML实体
Ensure returned Content-Type header is application/json and not text/html. 确保返回的Content-Type标头为application / json,而不是text / html。
Coming to the coding portion 来到编码部分
Following would help you 追踪将对您有帮助
private String killXSS(String value) {
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
Make sure every request you are sending to server is stripped through above mentioned code and you will never be victim of XSS. 确保发送到服务器的每个请求都被上述代码剥离,并且您永远不会成为XSS的受害者。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.