[英]auto-escape to prevent XSS
(when rendering a HTML template) (呈现HTML模板时)
<hidden name=”param${ns?htmlattr}” />
<a href=”${url?urlencode}”>${usercontent?htmlencode}</a>
${rawhtml?htmlliteral}
<script>
var a = “${str?jsstr}”; //null becomes “”
var b = ${str?quote,jsstr}; //allow null, render quotes if nonnull
var c = ${func?jsliteral}
var ${func?jsidentifier} = null;
</script>
\\t\\b\\f\\n\\r\\\\\\'\\"
and </
\\t\\b\\f\\n\\r\\\\\\'\\"
和</
</
</
<>&
and filters characters that aren't legal UTF-8 <>&
并过滤不合法的UTF-8字符 &
&
null
null
A few of these might not be relevant for security--they just help the code stay sane. 其中一些可能与安全性无关-它们只是帮助代码保持理智。 Which escape mode do we choose as the default to help prevent XSS -- be "more secure" by default?
我们选择哪种默认模式来帮助防止XSS-默认情况下“更安全”? What if we default to the most restrictive (htmlencode) and relax/switch excape modes from there?
如果我们默认使用限制性最强的(htmlencode)并从那里放松/切换原谅模式怎么办?
I'm not interested in discussing the merits of all these escape modes -- for better or worse, they all exist in our codebase. 我对讨论所有这些转义模式的优点不感兴趣-无论好坏,它们都存在于我们的代码库中。 Am I missing any modes?
我是否缺少任何模式? Any good reading material?
有什么好的阅读材料吗?
Take a look at http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html 看看http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html
That defines contexts in HTML and a mapping from those contexts to escaping functions. 这定义了HTML中的上下文以及从这些上下文到转义功能的映射。
For a runnable example, take a look at http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/index.html . 有关可运行的示例,请查看http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/index.html 。 Try starting with the "Safe HTML" examples from the dropdown menu at the top-right.
尝试从右上方的下拉菜单中的“安全HTML”示例开始。
To address your specific example, jsliteral
looks a little widgy. 为了解决您的特定示例,
jsliteral
看起来有些笨拙。 What benefit do you get from html encoding anything inside a <script>
block? html编码
<script>
块内的任何内容有什么好处? The content is CDATA. 内容是CDATA。
What are jsidentifier
and jsliteral
guarding? 什么是
jsidentifier
和jsliteral
防护? Do they stop dangerous identifiers like eval
from being assigned? 他们是否阻止像
eval
这样的危险标识符被分配? They should probably prevent <!--
in addition to </
since an injected /*<!--
could cause the </script>
to be ignored possibly allowing an later interpolation to masquerade as script content. 除了
</
之外,它们可能还应防止<!--
,因为注入的/*<!--
可能导致</script>
被忽略,从而可能使以后的插值伪装成脚本内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.