[英]vulnerabilities of letting user define innerHTML
Let's say I have a <textarea> and <div> element, and when the user puts html, CSS, or whatever they want), into the textarea, then their input is set as the innerHTML of the <div> element, using javascript.假设我有一个 <textarea> 和 <div> 元素,当用户将 html、CSS 或任何他们想要的)放入 textarea 时,他们的输入将设置为 <div> 元素的 innerHTML,使用 ZFCEE2919DE9BFFEE780D7 .
What are the vulnerabilities of letting the user define the content of a <div> element?让用户定义 <div> 元素的内容有哪些漏洞?
If the content they enter does not leave the page, there is no more risk than them editing the DOM through firebug or the chrome inspector.如果他们输入的内容没有离开页面,没有比他们通过 firebug 或 chrome 检查器编辑 DOM 更大的风险。 If you take their input and then display it as is, that is a huge security risk especially when other users are on your website.
如果您接受他们的输入然后按原样显示,这是一个巨大的安全风险,尤其是当其他用户在您的网站上时。
Well if you encode the contents so that any javascript that is in there won't execute then it should be safe.好吧,如果您对内容进行编码,以便其中的任何 javascript 都不会执行,那么它应该是安全的。
If you don't then a user could upload javascript that would execute the next time another user views that page.如果您不这样做,那么用户可以上传 javascript,它将在下次另一个用户查看该页面时执行。
I want to modify my response to take into account @Brigham comments.我想修改我的回复以考虑@Brigham 评论。 Escape only works reliably if you are dealing with the the innerHTML of something like a div tab, if you are dealing with using a user generated value as a attribute or within a script tag then escaping/encoding won't work.
只有在处理 div 选项卡之类的 innerHTML 时,转义才能可靠地工作,如果您正在处理使用用户生成的值作为属性或在脚本标签内,则转义/编码将不起作用。
I'll refer you to the OWASP XSS guidance (that @Brigham originally brought to my attention) for more information: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data我将向您推荐 OWASP XSS 指南(@Brigham 最初引起我的注意)以获取更多信息: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data
The user can do cross-site scripting.用户可以执行跨站点脚本。 It can inject malicious client-side code
它可以注入恶意客户端代码
Take a look at http://en.wikipedia.org/wiki/Cross-site_scripting看看http://en.wikipedia.org/wiki/Cross-site_scripting
Whatever they want could include a <script>
tag which pulls a.js file from their own server.他们想要的任何东西都可以包含一个
<script>
标记,该标记从他们自己的服务器中提取 a.js 文件。 Then if you show that content to another user, the script could do all kinds of things to extract information from the unsuspecting user.然后,如果您将该内容显示给另一个用户,该脚本可以做各种事情来从毫无戒心的用户那里提取信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.