如何通过 JQuery 修复 CWE 117(不正确的 Output 中和日志)
[英]How to fix CWE 117 (Improper Output Neutralization for Logs) by JQuery
问题描述
The scan throw this error about this line:
扫描对这一行抛出此错误:
console.log(msg);
I need this line on my code, but I want to change to more secure.我的代码需要这一行,但我想更改为更安全。 I added this to my code:我将此添加到我的代码中:
var newMsg = msg.replace('\n', '_').replace('\r', '_');
Then I sent the newMsg to the log.然后我将newMsg发送到日志。 I saw it isn't enough, I read that sometimes should to encoded the message.我看到这还不够,我读到有时应该对消息进行编码。 When should I encode it, and how can I do it in javascript/jQuery?我什么时候应该对其进行编码,以及如何在 javascript/jQuery 中进行编码?
Thanks谢谢
1 个解决方案
解决方案1
0 2020-04-27 15:30:34
To get rid of CWE 117 (raw value log printing on production enviroments) you should go through mitigation steps on MITRE's specification , this is:要摆脱 CWE 117(在生产环境中打印原始值日志),您应该通过 MITRE规范中的缓解步骤 go ,这是:
INPUT VALIDATION code(before log printing) should:输入验证代码(在打印日志之前)应该:
- Disallow content (business logic specific)禁止内容(特定于业务逻辑)
Escape HTML content:
转义 HTML 内容:In: `<p>Hello <script>this_is_bad_code</script> world:</p>` Out; `<p>Hello <script>this_is_bad_code</script> world;</p>`Strip content:
剥离内容:In: <p>Hello <script>this_is_bad_code</script> world:</p> Out: Hello world!Clean content to get safe html (business logic specific):
清理内容以获得安全 html(特定于业务逻辑):In: <p>Hello <script>this_is_bad_code</script> world:</p> Out: <p>Hello world!</p>
OUTPUT DECODING : This is a shabby one in js, as a js source file can have any kind of encoding, JavaScript will convert it to UTF-16 before executing it, still you can: OUTPUT DECODING :这是 js 中的一个破旧的,因为 js 源文件可以有任何类型的编码,JavaScript 会在执行之前将其转换为 UTF-16,你仍然可以:
Check if current page encoding tag value is up in header:
检查当前页面编码标签值是否在 header 中:Content-Type: application/javascript; charset=utf-8Check if source js encoding tag value is up:
检查源 js 编码标签值是否为 up:<script src="./source.js" charset="utf-8">
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.