堆栈内存溢出
  简体   繁体   English

如何在不暴露 XSS 漏洞的情况下安全地从客户端发送电子邮件?

[英]How to securely send an e-mail from client without exposing an XSS vulnerability?

 原文  2022-06-20 11:19:35       javascript/ java

问题描述

We have a business application that can be considered legacy.我们有一个可以被视为遗留的业务应用程序。 As a part of this application, users can send a mail to their clients with one of our business e-mail accounts.作为此应用程序的一部分,用户可以使用我们的一个企业电子邮件帐户向他们的客户发送邮件。 The mail content is sent as html directly to the server, and sanitized using a white list.邮件内容以 html 格式直接发送到服务器,并使用白名单进行清理。

However, our client wishes to install a WAF which blocks almost all of the html tags from reaching the server.然而,我们的客户希望安装一个 WAF 来阻止几乎所有的 html 标签到达服务器。 This means that even if we were to encode the files, tags such as br, b or img get blocked.这意味着即使我们要对文件进行编码,诸如 br、b 或 img 之类的标签也会被阻止。 After a lot of back end forth, it was ultimately left to us to circumvent this issue.经过大量的后端,最终留给我们来规避这个问题。 How can we alter this system so that it does not use html tags, even in encoded forms?我们如何改变这个系统,使它不使用 html 标签,即使是编码形式? The WAF blocks even the lt gt forms of these. WAF 甚至阻止了这些的 lt gt 形式。

For reference, we use java 8 with javascript 1.7.作为参考,我们使用 java 8 和 javascript 1.7。

1 个解决方案

解决方案1
 1 已采纳  2022-06-20 11:57:33

Use AWS WAF V2 and define the desired WAF rules with the rule builder wizard.使用AWS WAF V2并通过规则构建器向导定义所需的WAF 规则 The text transformations rule statement (eg. HTML entity decode) has nothing to do with the cross-site scripting attack rule statement. 文本转换规则语句(例如 HTML 实体解码)与跨站脚本攻击规则语句无关 Tearing down security measures is generally not suggested, while not know what one is actually doing.通常不建议拆除安全措施,同时不知道实际在做什么。 Using two separate hostnames might make it easier to tell apart these requests, in order to apply two different rule sets;使用两个单独的主机名可能更容易区分这些请求,以便应用两个不同的规则集; see how labeling works .看看标签是如何工作的。

I mean, you could remove that HTML entity white list from the application and then declare it as a WAF rule statement instead - then WAF would sanitize the request, before it even hits the server.我的意思是,您可以从应用程序中删除该 HTML 实体白名单,然后将其声明为 WAF 规则语句 - 然后 WAF 会在请求到达服务器之前对其进行清理。 It is pointless to install WAF, but then not to configure and use it.安装WAF是没有意义的,但不配置和使用它。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 向客户发送关于将数据保存到 Firestore 的确认电子邮件 - Send confirmation e-mail to client on saving data to firestore 通过 SendGrid 发送电子邮件 - Send e-mail by SendGrid 发送不带php的自定义电子邮件。 eb - Send a custom e-mail without php. Weebly 从razor视图启动电子邮件客户端 - Launching the e-mail client from razor view 如何防止javascript中的客户端DOM XSS漏洞? - How to prevent Client DOM XSS vulnerability in javascript? 如何使用 javascript 向用户发送电子邮件 - How to send E-mail to user using javascript 向 Firestore 提交表单时发送电子邮件 - Send E-mail on submitting form to Firestore 例外:无法发送电子邮件:没有收件人 - Exception: Unable to send e-mail: no recipient Outlook 2010:如何从 VBScript/JScript 撰写电子邮件 - Outlook 2010: How to compose e-mail from VBScript/JScript 如何防止 Firefox 使用电子邮件自动填充用户名输入? - How to prevent firefox from autofilling username input with e-mail?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM