堆栈内存溢出
  简体   繁体   English

让用户定义innerHTML的漏洞

[英]vulnerabilities of letting user define innerHTML

 原文  2011-04-29 01:56:54       javascript/ html/ innerhtml

问题描述

Let's say I have a <textarea> and <div> element, and when the user puts html, CSS, or whatever they want), into the textarea, then their input is set as the innerHTML of the <div> element, using javascript.假设我有一个 <textarea> 和 <div> 元素,当用户将 html、CSS 或任何他们想要的)放入 textarea 时,他们的输入将设置为 <div> 元素的 innerHTML,使用 ZFCEE2919DE9BFFEE780D7 .

What are the vulnerabilities of letting the user define the content of a <div> element?让用户定义 <div> 元素的内容有哪些漏洞?

4 个解决方案

解决方案1
 2 已采纳  2011-04-29 02:00:14

If the content they enter does not leave the page, there is no more risk than them editing the DOM through firebug or the chrome inspector.如果他们输入的内容没有离开页面,没有比他们通过 firebug 或 chrome 检查器编辑 DOM 更大的风险。 If you take their input and then display it as is, that is a huge security risk especially when other users are on your website.如果您接受他们的输入然后按原样显示,这是一个巨大的安全风险,尤其是当其他用户在您的网站上时。

解决方案2
 1  2011-04-29 01:58:53

Well if you encode the contents so that any javascript that is in there won't execute then it should be safe.好吧,如果您对内容进行编码,以便其中的任何 javascript 都不会执行,那么它应该是安全的。

If you don't then a user could upload javascript that would execute the next time another user views that page.如果您不这样做,那么用户可以上传 javascript,它将在下次另一个用户查看该页面时执行。

I want to modify my response to take into account @Brigham comments.我想修改我的回复以考虑@Brigham 评论。 Escape only works reliably if you are dealing with the the innerHTML of something like a div tab, if you are dealing with using a user generated value as a attribute or within a script tag then escaping/encoding won't work.只有在处理 div 选项卡之类的 innerHTML 时,转义才能可靠地工作,如果您正在处理使用用户生成的值作为属性或在脚本标签内,则转义/编码将不起作用。

I'll refer you to the OWASP XSS guidance (that @Brigham originally brought to my attention) for more information: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data我将向您推荐 OWASP XSS 指南(@Brigham 最初引起我的注意)以获取更多信息: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data

解决方案3
 0  2011-04-29 01:59:41

The user can do cross-site scripting.用户可以执行跨站点脚本。 It can inject malicious client-side code它可以注入恶意客户端代码

Take a look at http://en.wikipedia.org/wiki/Cross-site_scripting看看http://en.wikipedia.org/wiki/Cross-site_scripting

解决方案4
 0  2011-04-29 02:02:39

Whatever they want could include a <script> tag which pulls a.js file from their own server.他们想要的任何东西都可以包含一个<script>标记,该标记从他们自己的服务器中提取 a.js 文件。 Then if you show that content to another user, the script could do all kinds of things to extract information from the unsuspecting user.然后,如果您将该内容显示给另一个用户,该脚本可以做各种事情来从毫无戒心的用户那里提取信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 innerHTML 如何解决 XSS 漏洞 - How to resolve XSS vulnerabilities while using innerHTML 允许用户向网站标题添加内容的安全漏洞 - Security vulnerabilities of letting users add content to a site's header 让用户在Google地图上绘图? - Letting User Draw On a Google Map? 让用户通过textarea调用函数会很危险吗? - Is letting a user call a function though textarea dangerous? 让用户知道组件的反应 - letting the user know props of component in react 让用户在三次尝试后继续进行 - Letting user carry on after three attempts 由于 XSS 漏洞,如何将此 innerhtml 循环转换为内部文本? - How can I convert this innerhtml loop to a innertext one because XSS vulnerabilities? 将用户提示更改为 innerHTML 文本 - Change user prompts into innerHTML text 用户在可选表上使用innerHTML编写 - Write with innerHTML on a selectable table by user 诺基亚HERE地图:让用户在地图上绘制多边形 - Nokia HERE Maps: Letting user draw polygon on map
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM