[英]CodeIgniter - why use xss_clean
if I'm sanitizing my DB inserts, and also escaping the HTML I write with htmlentities($text, ENT_COMPAT, 'UTF-8')
- is there any point to also filtering the inputs with xss_clean?如果我正在清理我的数据库插入,并转义我用
htmlentities($text, ENT_COMPAT, 'UTF-8')
编写的 HTML - 是否也有必要用 xss_clean 过滤输入? What other benefits does it give?它还有什么其他好处?
xss_clean() is extensive, and also silly. xss_clean()很广泛,也很傻。 90% of this function does nothing to prevent xss.
这个函数的 90% 对防止 xss 没有任何作用。 Such as looking for the word
alert
but not document.cookie
.例如寻找单词
alert
而不是document.cookie
。 No hacker is going to use alert
in their exploit, they are going to hijack the cookie with xss or read a CSRF token to make an XHR.没有黑客会在他们的漏洞利用中使用
alert
,他们会用 xss 劫持 cookie 或读取 CSRF 令牌来制作 XHR。
However running htmlentities()
or htmlspecialchars()
with it is redundant.但是,使用它运行
htmlentities()
或htmlspecialchars()
是多余的。 A case where xss_clean()
fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8')
fails is the following: xss_clean()
修复了问题并且htmlentities($text, ENT_COMPAT, 'UTF-8')
失败的情况如下:
<?php
print "<img src='$var'>";
?>
A simple poc is:一个简单的 poc 是:
http://localhost/xss.php?var=http://domain/some_image.gif '%20onload=alert(/xss/)
http://localhost/xss.php?var=http://domain/some_image.gif '%20onload=alert(/xss/)
This will add the onload=
event handler to the image tag.这会将
onload=
事件处理程序添加到图像标记。 A method of stopping this form of xss is htmlspecialchars($var,ENT_QUOTES);
停止这种形式的 xss 的方法是
htmlspecialchars($var,ENT_QUOTES);
or in this case xss_clean()
will also prevent this.或者在这种情况下
xss_clean()
也会阻止这种情况。
However, quoting from the xss_clean() documentation:但是,引用 xss_clean() 文档:
Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.
当然,没有什么是 100% 万无一失的,但我一直无法通过过滤器。
That being said, XSS is an output problem
not an input problem
.话虽如此,XSS 是一个
output problem
而不是一个input problem
。 For instance this function cannot take into account that the variable is already within a <script>
tag or event handler.例如,此函数无法考虑变量已在
<script>
标记或事件处理程序中。 It also doesn't stop DOM Based XSS.它也不会阻止基于 DOM 的 XSS。 You need to take into consideration how you are using the data in order to use the best function.
您需要考虑如何使用数据才能使用最佳功能。 Filtering all data on input is a bad practice .
过滤输入的所有数据是一种不好的做法。 Not only is it insecure but it also corrupts data which can make comparisons difficult.
它不仅不安全,而且还会破坏数据,使比较变得困难。
In your case, "stricter methods are fine, and lighter weight" .在你的情况下, “更严格的方法很好,重量更轻” 。 CodeIgniter developers intend xss_clean() for a different use case, "a commenting system or forum that allows 'safe' HTML tags".
CodeIgniter 开发人员打算将 xss_clean() 用于不同的用例,“允许'安全'HTML 标签的评论系统或论坛”。 This isn't clear from the documentation, where xss_clean is shown applied to a username field.
这在文档中并不清楚,其中 xss_clean 显示为应用于用户名字段。
There's another reason to never use xss_clean(), that hasn't been highlighted on stackoverflow so far.还有另一个永远不要使用 xss_clean() 的原因,到目前为止还没有在 stackoverflow 上突出显示。 xss_clean() was broken during 2011 and 2012 , and it's impossible to fix completely.
xss_clean() 在2011和2012期间被破坏,并且不可能完全修复。 At least without a complete redesign, which didn't happen.
至少没有完全重新设计,这没有发生。 At the moment, it's still vulnerable to strings like this:
目前,它仍然容易受到这样的字符串的影响:
<a href="j&#x41;vascript:alert%252831337%2529">Hello</a>
The current implementation of xss_clean() starts by effectively applying urldecode() and html_entity_decode() to the entire string. xss_clean() 的当前实现首先将 urldecode() 和 html_entity_decode() 有效地应用于整个字符串。 This is needed so it can use a naive check for things like "javascript:".
这是必需的,因此它可以对诸如“javascript:”之类的东西进行简单的检查。 At the end, it returns the decoded string .
最后,它返回解码后的 string 。
An attacker can simply encode their exploit twice.攻击者可以简单地对他们的漏洞进行两次编码。 It will be decoded once by xss_clean(), and pass as clean.
它将被 xss_clean() 解码一次,并作为干净传递。 You then have a singly-encoded exploit, ready for execution in the browser.
然后,您就有了一个单独编码的漏洞利用程序,可以在浏览器中执行。
I call these checks "naive" and unfixable because they're largely reliant on regular expressions.我称这些检查为“幼稚”且无法修复,因为它们在很大程度上依赖于正则表达式。 HTML is not a regular language.
HTML 不是常规语言。 You need a more powerful parser to match the one in the browser ;
您需要一个更强大的解析器来匹配浏览器中的解析器; xss_clean() doesn't have anything like that.
xss_clean() 没有这样的东西。 Maybe it's possible to whitelist a subset of HTML, which lexes cleanly with regular expressions.
也许可以将 HTML 的一个子集列入白名单,该子集使用正则表达式清晰地进行词法分析。 However, the current xss_clean() is very much a blacklist.
但是,当前的 xss_clean() 是一个黑名单。
I would recommend using http://htmlpurifier.org/ for doing XSS purification.我建议使用http://htmlpurifier.org/进行 XSS 净化。 I'm working on extending my CodeIgniter Input class to start leveraging it.
我正在扩展我的 CodeIgniter Input 类以开始利用它。
Yes you should still be using it, I generally make it a rule to use it at least on public facing input , meaning any input that anyone can access and submit to.是的,您仍然应该使用它,我通常规定至少在面向公众的输入中使用它,这意味着任何人都可以访问和提交的任何输入。
Generally sanitizing the input for DB queries seems like a side-effect as the true purpose of the function is to prevent Cross-site Scripting Attacks .通常清理数据库查询的输入似乎是一种副作用,因为该功能的真正目的是防止跨站点脚本攻击。
I'm not going to get into the nitty gritty details of every step xss_clean takes, but i will tell you it does more than the few steps you mentioned, I've pastied the source of the xss_clean function (deadlink) so you can look yourself, it is fully commented.我不会深入了解 xss_clean 所采取的每一步的具体细节,但我会告诉你,它比你提到的几个步骤做得更多,我已经
粘贴了 xss_clean 函数的源代码(死链接),所以你可以看看你自己,它是完全评论。
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this: $config['global_xss_filtering'] = TRUE;如果您希望过滤器在每次遇到 POST 或 COOKIE 数据时自动运行,您可以通过打开 application/config/config.php 文件并设置以下内容来启用它: $config['global_xss_filtering'] = TRUE;
You can enable csrf protection by opening your application/config/config.php file and setting this: $config['csrf_protection'] = TRUE;您可以通过打开 application/config/config.php 文件并设置以下内容来启用 csrf 保护: $config['csrf_protection'] = TRUE;
for more details, please see on following link.有关更多详细信息,请参阅以下链接。
https://ellislab.com/codeigniter/user-guide/libraries/security.html https://ellislab.com/codeigniter/user-guide/libraries/security.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.