Javascript 转义 < 和 > 是否足以阻止 XSS 攻击?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5696244/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is escaping < and > sufficient to block XSS attacks?
提问by M. Biolic
I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming <and >to <and >doesn't completely block reflected and persistent XSS.
我确信这个问题的答案是否定的,但我似乎无法找到一种简单地转换<和>到<并且>不完全阻止反射和持久性 XSS 的方法。
I'm not talking about CSRF.
我不是在谈论 CSRF。
If this doesn't block XSS, can you provide an example of how to bypass this defence?
如果这不能阻止 XSS,您能否提供一个如何绕过此防御的示例?
采纳答案by ThiefMaster
When using an untrusted string in an attribute (quoted with ") you need to escape "as ".
在属性中使用不受信任的字符串(用 引用")时,您需要转义"为"。
Otherwise you could easily inject javascript. For example, <a href="{{str}}">with strbeing, for example, " onmouseover='something-evil'".
否则,您可以轻松注入 javascript。例如,<a href="{{str}}">用str作为,例如," onmouseover='something-evil'"。
回答by Brent Friar
Not all XSS attacks include < or > at all, depending on where the data is being inserted.
并非所有 XSS 攻击都包含 < 或 >,具体取决于插入数据的位置。
回答by priomsrb
No. Here are a couple of examples where escaping <, >, ', "and &is not enough:
号这里有几个例子逃离那里<,>,',"并&是不够的:
Example 1:
示例 1:
<a href="{{myUrl}}">
XSS Attack:
XSS 攻击:
myUrl = "javascript:alert(1)"
Example 2:
示例 2:
<script>var page = {{myVar}};</script>
XSS Attack:
XSS 攻击:
myVar = "1;alert(1)"
See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheetfor ways of preventing these attacks.
有关防止这些攻击的方法,请参阅https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet。
回答by Troy Hunt
No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet: http://ha.ckers.org/xss.html
不,这还不够。请记住,XSS 不仅仅是 HTML 中不受信任的数据,您还会在 JavaScript 和 CSS 中找到它。想想这样的情况,比如“var myVar = [input];” 您可以使用该 [input] 值执行各种恶意操作,而无需靠近尖括号。XSS 备忘单中还有更多示例:http: //ha.ckers.org/xss.html
You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1]. Grab this and use the appropriate output encoding:
您在标签中提到了 ASP.NET;您想要查看的是[AntiXSS library][1]. 抓住这个并使用适当的输出编码:
Encoder.CssEncode()
Encoder.HtmlEncode()
Encoder.HtmlAttributeEncode()
Encoder.JavaScriptEncode()
etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.
等等等等。绝对没有理由尝试在 .NET 中进行自己的字符替换。
