[英]How to fix CWE 117 (Improper Output Neutralization for Logs) by JQuery
The scan throw this error about this line:扫描对这一行抛出此错误:
console.log(msg);
I need this line on my code, but I want to change to more secure.我的代码需要这一行,但我想更改为更安全。 I added this to my code:
我将此添加到我的代码中:
var newMsg = msg.replace('\n', '_').replace('\r', '_');
Then I sent the newMsg
to the log.然后我将
newMsg
发送到日志。 I saw it isn't enough, I read that sometimes should to encoded the message.我看到这还不够,我读到有时应该对消息进行编码。 When should I encode it, and how can I do it in javascript/jQuery?
我什么时候应该对其进行编码,以及如何在 javascript/jQuery 中进行编码?
Thanks谢谢
To get rid of CWE 117 (raw value log printing on production enviroments) you should go through mitigation steps on MITRE's specification , this is:要摆脱 CWE 117(在生产环境中打印原始值日志),您应该通过 MITRE规范中的缓解步骤 go ,这是:
INPUT VALIDATION code(before log printing) should:
输入验证代码(在打印日志之前)应该:
Escape HTML content:转义 HTML 内容:
In: `<p>Hello <script>this_is_bad_code</script> world:</p>` Out; `<p>Hello <script>this_is_bad_code</script> world;</p>`
Strip content:剥离内容:
In: <p>Hello <script>this_is_bad_code</script> world:</p> Out: Hello world!
Clean content to get safe html (business logic specific):清理内容以获得安全 html(特定于业务逻辑):
In: <p>Hello <script>this_is_bad_code</script> world:</p> Out: <p>Hello world!</p>
OUTPUT DECODING : This is a shabby one in js, as a js source file can have any kind of encoding, JavaScript will convert it to UTF-16 before executing it, still you can:
OUTPUT DECODING :这是 js 中的一个破旧的,因为 js 源文件可以有任何类型的编码,JavaScript 会在执行之前将其转换为 UTF-16,你仍然可以:
Check if current page encoding tag value is up in header:检查当前页面编码标签值是否在 header 中:
Content-Type: application/javascript; charset=utf-8
Check if source js encoding tag value is up:检查源 js 编码标签值是否为 up:
<script src="./source.js" charset="utf-8">
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.