我们如何防止 FastAPI 中的 html 注入?
[英]How can we prevent html injection in FastAPI?
问题描述
We are developing REST APIs using python framework called FastAPI.
我们正在使用名为 FastAPI 的 python 框架开发 REST API。 The code security test failed for html injection. html 注入代码安全测试失败。 They are sending some html tag code in the post payload, we are inserting that in DB and sending same in GET Response.他们在 post payload 中发送一些 html 标签代码,我们将其插入数据库并在 GET 响应中发送相同的代码。 Is there any way to prevent this HTML injection while processing request in FastAPI.在 FastAPI 中处理请求时,有什么方法可以防止这种 HTML 注入。
1 个解决方案
解决方案1
5 2020-08-19 13:50:45
yes.是的。 No framework is going to magically change the content you get without you being explicit about it.如果您不明确说明,任何框架都不会神奇地改变您获得的内容。 (Imagine if it was a REST API for recording HTML snippets from an internal system to be used in rendering web pages in another endpoint: you'd need the HTML as is) (想象一下,如果它是一个 REST API,用于记录来自内部系统的 HTML 片段,用于在另一个端点呈现 web 页面:你需要按原样使用 HTML)
It is just a matter of calling a escape function on your input data, before putting that on the db.这只是在将输入数据放入数据库之前调用转义 function 的问题。
Python's standard library html.escape function suffices in this case. Python 的标准库html.escape function 在这种情况下就足够了。
There is no code in your question, and I don't know FASTAPI by heart - but if it puts the payload in the DB without going through any code you write, then you should either customize that and put in this call to preprocess your data, or add a triggered stage (that is, an event subscriber) that will do that for you.您的问题中没有代码,而且我根本不了解 FASTAPI - 但是如果它在不经过您编写的任何代码的情况下将有效负载放入数据库中,那么您应该自定义它并放入此调用以预处理您的数据,或添加将为您执行此操作的触发阶段(即事件订阅者)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.