堆栈内存溢出
  简体   繁体   English

可以用html href标签编写Javascript吗?

[英]Can Javascript be written in a html href tag?

 原文  2010-06-18 23:55:54       javascript/ security/ html-agility-pack/ whitelist

问题描述

I am trying to figure out all the ways javascript can be written. 我试图找出所有可以编写javascript的方法。 I am making a white list of acceptable tags however the attributes are getting me. 我正在制作可接受标签的白名单,但是属性使我着迷。

In my rich html editor I allow stuff like links. 在我丰富的html编辑器中,我允许诸如链接之类的东西。 

<a href="">Hi </a>

Now I am using html agility pack to get rid of attributes I won't support and html tags for that matter. 现在,我使用html敏捷包摆脱了我将不支持的属性和html标签。

However I am still unclear if a person could do something like this 但是我仍然不清楚一个人是否可以做这样的事情 

<a href="<script>alert('hi')</script>">Bad </a>

So I am not sure if I have to start looking at the inner text of all attributes that I support and html encode them? 因此,我不确定是否必须开始查看我支持的所有属性的内部文本并对其进行html编码? Or if what. 或者,如果。

I am also not sure how to prevent a html link that goes to some page and launches some javascript on load. 我也不确定如何防止html链接转到某个页面并在加载时启动一些javascript。

I am not sure if a white list can stop that one. 我不确定白名单是否可以阻止该名单。

3 个解决方案

解决方案1
 5 已采纳  2010-06-18 23:57:35

<a href="javascript:void(0)" onclick="alert('hi');">Bad</a>

要么

<a href="javascript:alert('hi');">Bad</a>

解决方案2
 3  2010-06-19 00:21:56

If you're trying to write an XSS validator for user-entered HTML for production, I highly recommend you use an existing library. 如果您试图为用户输入的HTML编写XSS验证器以进行生产,则强烈建议您使用现有的库。 Even with the whitelist approach you are taking, there are many, many possible attribute values that can result in XSS. 即使采用了白名单方法,也有很多可能导致XSS的属性值。 Search for "javascript:" in the XSS Cheat Sheet to see all sorts of places javascript: uris can turn up. XSS备忘单中搜索“ javascript:”以查看javascript:uris可以出现的各种地方。 Here is an incomplete list: 这是不完整的清单: 

<IMG SRC="javascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">

There are also ways to inject external script urls, like this: 还有一些注入外部脚本URL的方法,如下所示: 

<XSS STYLE="behavior: url(xss.htc);">

If you're writing this for your own education, then the XSS Cheat Sheet has some really great fodder for unit tests. 如果您是为自己的学习而写的,那么XSS备忘单有一些非常好的单元测试工具。

解决方案3
 1  2010-06-18 23:59:46

you can do this: 你可以这样做: 

<a href="javascript:(function(){
    alert('hello');
})()">Hello</a>

if you want to get really crazy 如果你想变得疯狂

Edit: I like this even better 编辑:我更喜欢这个 

<a onclick="alert(eval({Crazy:function(){alert('Hello');return 'World';}}).Crazy());">
    Crazy
</a>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将Javascript字符串var传递给HTML href标记 - Passing Javascript string var to HTML href tag 将值从Javascript返回到HTML <a href>标签</a> - Return value from Javascript to HTML <a href> tag “javascript:;”表示HTML锚标记中的href属性 - “javascript:;” for href attribute in HTML anchor tag 获取用 javascript 编写的 href 属性 - Getting href attribute as written with javascript 如何调试HTML脚本标记中编写的JavaScript - How do I debug JavaScript written within a script tag in the HTML 如何<a>使用javascript</a>读取html“ <a>”标签中的</a>所有href链接 - How to read all href link in html “<a>” tag using javascript 从HTML中的href标签调用javascript函数的另一种方法 - another way of calling javascript Function from href tag in html 如何在 html 标签内插入 javascript 变量<a href>?</a> - How to insert a javascript variable inside an <a href> html tag? href 标签中的 Javascript var - Javascript var in href tag 如何将Javascript变量传递给HTML <a href>标签</a>的NAME属性<a href>?</a> - How to pass a Javascript variable to the NAME attribute of an HTML <a href> tag?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM