解析 HTML 的 JavaScript / Lit-element 安全方法
[英]JavaScript / Lit-element safe way to parse HTML
问题描述
I am getting some html from my server that I want to put into my page.
我从我的服务器获取了一些 html,我想将其放入我的页面中。 However I want it to be sanitized (just in case).但是,我希望对其进行消毒(以防万一)。
However I am not quite sure how to do this.但是我不太确定如何做到这一点。
So far I've tried:到目前为止,我已经尝试过:
<div .innerHTML="${body}"></div>
Since that should parse it as HTML but I am not 100% sure that this is the best way.因为这应该将其解析为 HTML,但我不是 100% 确定这是最好的方法。
I have also looked at online sanitizers but haven't been able to find any that match my project ( Lit-element web component).我还查看了在线消毒剂,但找不到与我的项目( Lit-element Web 组件)匹配的任何消毒剂。
Is there a better way to parse HTML and if so how?有没有更好的方法来解析 HTML,如果有,如何解析?
2 个解决方案
解决方案1
2 已采纳 2020-11-10 13:05:35
document.getElementById('my-target').append(new DOMParser().parseFromString(data, 'text/html').body.children);
解决方案2
0 2020-11-14 20:57:24
It's not clear whether you want to render the html as html or as text.目前尚不清楚您要将 html 呈现为 html 还是文本。
I seem to remember that lit-html does some things behind the scenes to produce secure templates but surprisingly I cannot find official content to back up that statement.我似乎记得lit-html在幕后做了一些事情来生成安全模板,但令人惊讶的是我找不到官方内容来支持该声明。 Others have asked about this before .其他人之前也问过这个问题。
In that GitHub issue we can see that Mike Samuel mentions that what you're doing is not secure.在那个GitHub 问题中,我们可以看到 Mike Samuel 提到你正在做的事情并不安全。
You can trust Mike Samuel: he's worked in the security field at Google and I had the privilege to listen to one of his talks on the topic two years ago .您可以相信 Mike Samuel:他曾在 Google 从事安全领域的工作,两年前我有幸聆听了他关于该主题的一次演讲。
Here's a quick example:这是一个快速示例:
<p .innerHTML=${'<button onclick="alert(42)">click</button>'}></p>
This renders a button which produces an alert when you click on it.这将呈现一个按钮,当您单击它时会产生警报。 In this example the JavaScript code is harmless but it's not hard to imagine something way more dangerous.在这个例子中,JavaScript 代码是无害的,但不难想象一些更危险的东西。
However this simply renders the code as string.然而,这只是将代码呈现为字符串。 The content is somehow escaped and therefore totally harmless.内容以某种方式逃脱,因此完全无害。
<p>${'<button onclick="alert(42)">click</button>'}></p>
In fact similar to React's dangerouslySetInnerHTML attribute you need to "opt out" from secure templating via lit-html unsafeHTML directive :事实上,类似于 React 的危险设置lit-html 属性,您需要通过lit-html unsafeHTML 指令“选择退出”安全模板:
Renders the argument as HTML, rather than text.
Note, this is unsafe to use with any user-provided input that hasn't been sanitized or escaped, as it may lead to cross-site-scripting vulnerabilities.
<p>${unsafeHTML('<button onclick="alert(42)">click</button>')}></p>
About DOMParser#parseFromString关于DOMParser#parseFromString
In this introductory article about trusted-types we can see that this method is a known XSS sink.在这篇关于可信类型的介绍性文章中,我们可以看到这种方法是一个已知的 XSS 接收器。
Sure it won't execute <script> blocks but it won't sanitise the string for you.当然它不会执行<script>块,但它不会为你清理字符串。 You are still at risk of XSS here:你在这里仍然有 XSS 的风险:
<p .innerHTML="${(new DOMParser()).parseFromString('<button onclick="alert(42)">click</button>','text/html').body.innerHTML}"></p>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.