如果我让用户上传自己的 html/css/js 文件,是否存在任何可能的安全问题?
[英]Are there any possible security issues if I let users upload their own html/css/js files?
问题描述
I am making a store, where I want to allow the users to upload a custom html/js/css website to display with their product.
我正在创建一个商店,我希望允许用户上传自定义 html/js/css 网站以显示他们的产品。
What security issues should I look for?我应该寻找哪些安全问题?
1 个解决方案
解决方案1
1 2020-06-17 16:21:07
The two biggest issues surrounding DHTML are:围绕 DHTML 的两个最大问题是:
- Script Injection脚本注入
- Cross-site scripting跨站脚本
CSS files are safe CSS 文件是安全的
.html and.js files are NOT safe. .html 和 .js 文件不安全。 You can make.html files safe by insisting on your own Content-Security-Policy: shutting down inline scripts and styles, and only allowing them to use libraries that you've vetted.您可以通过坚持自己的 Content-Security-Policy 来使.html 文件安全:关闭内联脚本和 styles,只允许他们使用您审查过的库。 .js files need to be personally inspected to ensure that they are safe. .js 文件需要亲自检查以确保它们是安全的。
My advice is that instead of letting them update the html and js files, it would be safer to provide a template that they could file out online, and whose content you could store in a database.我的建议是,与其让他们更新 html 和 js 文件,不如提供一个他们可以在线归档的模板,并且您可以将其内容存储在数据库中,这样会更安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.