简体   繁体   English

Codeigniter xss_clean困境

[英]Codeigniter xss_clean dilemma

I know this question has been asked over and over again, but I still haven't found the perfect answer for my liking, so here it goes again... 我知道这个问题已被一遍又一遍地问过,但我仍然没有找到我喜欢的完美答案,所以又来了......

I've been reading lots and lots polarizing comments about CI's xss_filter. 关于CI的xss_filter,我一直在阅读很多很多偏见的评论。 Basically majority says that it's bad. 基本上大多数人说这很糟糕。 Can someone elaborate how it's bad, or at least give 1 most probable scenario where it can be exploited? 有人可以详细说明它是如何坏,或至少给出一个可能被利用的最可能的场景? I've looked at the security class in CI 2.1 and I think it's pretty good as it doesn't allow malicious strings like document.cookie, document.write, etc. 我看过CI 2.1中的安全类,我觉得它非常好,因为它不允许像document.cookie,document.write等恶意字符串。

If the site has basically non-html presentation, is it safe to use global xss_filter (or if it's REALLY affecting performance that much, use it on per form post basis) before inserting to database ? 如果该站点基本上没有非HTML表示,那么在插入数据库之前使用全局xss_filter(或者它是否真的会影响性能,在每个表单的基础上使用它)是否安全? I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only. 我一直在阅读关于是否在输入/输出上逃避多数的利弊,说我们应该只在输出上逃避。 But then again, why allow strings like <a href="javascript:stealCookie()">Click Me</a> to be saved in the database at all? 但话又说回来,为什么允许像<a href="javascript:stealCookie()">Click Me</a>这样的字符串保存在数据库中呢?

The one thing I don't like is javascript: and such will be converted to [removed] . 我不喜欢的一件事是javascript:这样会被转换为[removed] Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed] . 我可以扩展CI的安全核心$_never_allowed_str数组,以便永远不允许的字符串返回空而不是[removed]

The best reasonable wrongdoing example of this I've read is if a user has password of javascript:123 it will be cleaned into [removed]123 which means string like this document.write123 will also pass as the user's password. 我读过的最合理的错误示例是,如果用户的密码是javascript:123 ,它将被清除到[removed]123 ,这意味着像这个document.write123这样的字符串也将作为用户的密码传递。 Then again, what is the odds of that to happen and even if it happens, I can't think of any real harm that can do to the site. 再说一次,这种情况发生的几率是多少,即使它发生了,我也想不出可以对网站造成的任何真正的伤害。

Thanks 谢谢

Basically XSS is an OUTPUT problem - but Codeigniter deals with it as an INPUT problem. 基本上XSS是一个OUTPUT问题 - 但Codeigniter将其作为INPUT问题处理。

Can someone elaborate how it's bad... 有人可以详细说明它是如何糟糕的......

The problem is xss_clean alters your INPUT - meaning in some scenarios (like the password issue you have described) the input is not what is expected. 问题是xss_clean会改变你的INPUT - 这意味着在某些情况下(比如你所描述的密码问题),输入不是预期的。

...or at least give 1 most probable scenario where it can be exploited? ......或者至少给出一个可能被利用的最可能的场景?

It only looks for certain key words, such as "javascript". 它只查找某些关键词,例如“javascript”。 There are other script actions which xss_clean does not detect, plus it wont protect you against any "new" attacks. xss_clean没有检测到其他脚本操作,而且它不会保护您免受任何“新”攻击。

The one thing I don't like is javascript: and such will be converted to [removed]. 我不喜欢的一件事是javascript:这样会被转换为[已删除]。 Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed] 我可以扩展CI的安全核心$ _never_allowed_str数组,以便永不允许的字符串返回空而不是[已删除]

You could do this - but your just putting a bandaid on a poor solution. 你可以做到这一点 - 但你只是把一个绑带放在一个糟糕的解决方案上。

I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only. 我一直在阅读关于是否在输入/输出上逃避多数的利弊,说我们应该只在输出上逃避。

This is the correct answer - escape ALL your output, and you have true XSS protection, without altering the input. 这是正确的答案 - 逃避所有输出,并且你有真正的XSS保护,而不改变输入。

OWASP explains more on XSS here OWASP在这里解释了更多关于XSS的内容

See a good Codeigniter forum thread on XSS 在XSS上查看一个好的Codeigniter论坛帖子

Personally my approach to XSS protection in Codeigniter is I do not do ANY XSS cleaning on the inputs. 我个人在Codeigniter中对XSS保护的方法是我不对输入进行任何XSS清理。 I run a hook on the _output - which cleans all my “view_data” (which is the variable I use to send data to the views). 我在_output上运行一个钩子 - 它清除我的所有“view_data”(这是我用来向视图发送数据的变量)。

I can toggle if I dont want the XSS Clean to run by inserting a “$view_data['clean_output'] = false” in my controller, which the hook checks: 如果我不想通过在我的控制器中插入“$ view_data ['clean_output'] = false”来运行XSS Clean,我可以切换:钩子检查:

if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))
   {
    // Apply to all in the list
    $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);
   }  

This gives me automatic and full XSS protection on my whole site -with just a couple of lines of code and no performance hit. 这为我的整个网站提供了自动和完整的XSS保护 - 只需几行代码即可获得性能损失。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM