从 XSS 攻击中清理输入请求参数
[英]Sanitize an input request param from XSS attack
问题描述
I am working on securing the input request params to my application from XSS attacks.
我正在努力保护我的应用程序的输入请求参数免受 XSS 攻击。 I came across the owasp cheat sheet for securing against XSS attack.我遇到了 owasp 备忘单,用于防止 XSS 攻击。 I am following the instructions on https://github.com/owasp/java-html-sanitizer .我按照https://github.com/owasp/java-html-sanitizer上的说明进行操作。
I have managed to block the XSS attack (done by means of supplying events like onMouseOver appended to input param) by using below code:我已经设法通过使用以下代码阻止了 XSS 攻击(通过提供附加到输入参数的 onMouseOver 之类的事件来完成):
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);
value = policy.sanitize(value); // Value is the "value" of input param
This converts something like name=FIRST" onmouseover="alert('222') supplied in querystring: X=Val1&Y=&Z=&A=false&name=FIRST" onmouseover="alert('222')&B=456&C=123 to这会将查询字符串中提供的类似name=FIRST" onmouseover="alert('222') : X=Val1&Y=&Z=&A=false&name=FIRST" onmouseover="alert('222')&B=456&C=123转换为
<span class="db-wrap-name" title="FIRST"" onload="alert('222s2')="">FIRST" onload="alert('2222')</span>
My question is this Sanitization sufficient to protect the input param from XSS?我的问题是这种消毒足以保护输入参数免受 XSS 攻击吗?
PS: Can someone point me to a linear source to go through the OWASP HTML Sanitization. PS:有人可以通过 OWASP HTML 消毒将我指向 go 的线性源。 I have managed to get understanding on this but there are gaps.我已经设法对此有所了解,但存在差距。 It will be great if I can get a linear source.如果我能得到一个线性源,那就太好了。
Thanks谢谢
1 个解决方案
解决方案1
0 2019-10-10 09:13:48
No. This is not sufficient.不,这还不够。 See OWASP XSS Cheat Sheet .请参阅OWASP XSS 备忘单。
For Fighting XSS you must:为了对抗 XSS,您必须:
- Validate your inputs验证您的输入
- Eventually escape some characters in the inputs最终转义输入中的一些字符
- Encode the data you send back to the client.对发送回客户端的数据进行编码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.