安全地发布然后打印JavaScript标记
[英]Securely posting and then printing JavaScript tags
问题描述
I am trying to develop a back-end Ad Checking application in PHP. 
我正在尝试用PHP开发后端广告检查应用程序。 We have lots of places where ads can be shown and almost all of them has its unique requirements (they are shown inside games, that is why everyone is different in size, weight, format, etc.). 我们有很多地方可以展示广告,而且几乎所有广告都有其独特的要求(它们显示在游戏中,这就是每个人在尺寸,重量,格式等方面都有所不同的原因)。 Since this can cause lots of confusions on campaigns targeting different games (with the agencies sending us ads with the wrong formats), we need to check every ad to make sure it works as expected. 由于这可能会导致针对不同游戏的广告系列产生大量混淆(代理商会向我们发送格式错误的广告),因此我们需要检查每个广告以确保其按预期运行。
The application works fine if our clients send us the Ad File to check. 如果我们的客户向我们发送要检查的广告文件,该应用程序正常。 But most of the time they send Adserver tags, so they can keep track of the results, and those tags generally are javascript and iframe tags. 但大部分时间他们都会发送Adserver标记,因此他们可以跟踪结果,这些标记通常是javascript和iframe标记。
The problem is how to securelly allow the insertion of javascript and iframe code, and render that to the page on the postback page (for visual checking), on all browsers, without risking XSS problems? 问题是如何安全地允许插入javascript和iframe代码,并在所有浏览器上将其呈现到回发页面上的页面(用于可视化检查),而不会有XSS问题的风险?
At the moment, I've managed to post the code and print to the postback page on all browsers, but Chrome, because of the security measures. 目前,由于安全措施的原因,我已设法将代码发布到所有浏览器的回发页面上,而不是Chrome。 But since I'm gonna have to tackle that issue anyway, how can I make it work on all browsers and still be sure the application is safe? 但是,既然我不得不解决这个问题,我怎样才能让它适用于所有浏览器并且仍然确保应用程序是安全的?
Thanks. 谢谢。 Decio Decio
1 个解决方案
解决方案1
0 已采纳 2012-05-31 23:26:13
If you include 3rd party javascript code, you are always risking XSS. 如果您包含第三方javascript代码,那么您总是冒着XSS的风险。 Let's say, you're testing the code from ad provider: 比方说,您正在测试广告提供商的代码:
<script src="http://some3rdPartySite.com/script.js"></script>
- Script can be altered to be displayed and to cause different results on target domain and on all other pages. 可以更改脚本以显示,并在目标域和所有其他页面上产生不同的结果。 That is, you can see how it wants to be showed to you, but you can't be sure that it will be the same in some of your customer's games. 也就是说,您可以看到它是如何向您展示的,但您无法确定它在某些客户的游戏中是否会相同。
- Ad provider can change the script on it's server at any moment, possibly after your tests. 广告提供商可以随时更改其服务器上的脚本,可能在您的测试之后。
If you do not trust your ad vendors, I suggest to let them choose image + URL or iframe URL + dimensions. 如果您不信任广告供应商,我建议他们选择图片+网址或iframe网址+尺寸。 You can do "bad stuff" with Iframe too (like frame-busting thus redirecting from your customer page), but you still must obey cross-domain policy. 您也可以使用Iframe做“坏事”(比如框架破坏,从而从您的客户页面重定向),但您仍然必须遵守跨域策略。 This is not the case if you let javascript code to be executed. 如果你让javascript代码被执行,情况就不是这样了。
You could also provide your own analytics for ad vendors to fill their needs. 您还可以为广告供应商提供自己的分析,以满足他们的需求。
Anyway, for testing javascript results you could use Selenium drivers with any browser: http://seleniumhq.org/ . 无论如何,对于测试JavaScript的结果,您可以使用Selenium驱动程序和任何浏览器: http : //seleniumhq.org/ 。 It let's you to load any page, execute javascript code and get results. 它让你加载任何页面,执行javascript代码并获得结果。 In this way you could load your javascript code, search DOM for nodes and check their dimensions etc. 通过这种方式,您可以加载您的javascript代码,搜索节点的DOM并检查它们的尺寸等。
Also, you can look at sahi: http://sahi.co.in/w/ 另外,你可以看看sahi: http ://sahi.co.in/w/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.