如何使用 Laravel 允许 WYSIWYG 编辑器并禁用 XSS 攻击?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17314893/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I allow WYSIWYG editors and disable XSS attacks using Laravel?
提问by Aristona
I have a enterprise level application where logged in users are authorized to post articles to page using a WYSIWYG editor. (You can consider this application as a website builder.)
我有一个企业级应用程序,其中登录用户有权使用 WYSIWYG 编辑器将文章发布到页面。(您可以将此应用程序视为网站建设者。)
Everything works fine, but the problems are;
一切正常,但问题是;
WYSIWYG editor posts a HTML containing article, also some localised string characters which Laravel doesn't like, so Laravel's
alpha_numcheck can't pass. (Therefore we don't use it on validation checks.)We need to allow characters like
<,",>because they may want to do some basic styling using WYSIWYG editor, sohtmlspecialchars()is not an option while echoing/sanitizing values, because harmful things like<br>'s break.Users are able to post things like,
<script type="text/javascript>alert('Hello');</script>or</div></div></div><div style="width: 100%, height: 100% z-index: 999999">It is a huge security risk, I know, but we can't really sanitize/escape anything. Users will still be able to write<s<!---->cript>and pass the check.
WYSIWYG 编辑器发布了一个包含文章的 HTML,还有一些 Laravel 不喜欢的本地化字符串字符,所以 Laravel 的
alpha_num检查无法通过。(因此我们不在验证检查中使用它。)我们需要允许像
<,这样的字符",>因为他们可能想使用所见即所得编辑器进行一些基本的样式设置,所以htmlspecialchars()在回显/清理值时不是一个选项,因为像<br>'s这样有害的东西会中断。用户可以发布类似的内容,
<script type="text/javascript>alert('Hello');</script>或者</div></div></div><div style="width: 100%, height: 100% z-index: 999999">这是一个巨大的安全风险,我知道,但我们无法真正清理/逃避任何事情。用户仍然可以写<s<!---->cript>并通过支票。
So, in short, we can't rely some built-in Laravel and PHP functions. We can't disable WYSIWYG editor also, because it is used often in majority of areas in spoken application.
所以,简而言之,我们不能依赖一些内置的 Laravel 和 PHP 函数。我们也不能禁用 WYSIWYG 编辑器,因为它经常用于口语应用程序的大多数领域。
What is the best way to avoid this?
避免这种情况的最佳方法是什么?
I'm thinking about creating a custom rule on top of alpha_numon Laravel, which would be called as something like alpha_num_localised_characters_plus_allowed_html_tagsand add that rule to any input containing WYSIWYG editor.
我正在考虑alpha_num在 Laravel之上创建一个自定义规则,它会被称为类似的东西alpha_num_localised_characters_plus_allowed_html_tags,并将该规则添加到任何包含 WYSIWYG 编辑器的输入中。
Is this a good way? Is there any better alternative? How do you deal with such issues yourself?
这是一个好方法吗?有没有更好的选择?你自己是如何处理这些问题的?
Note: Please note we already developed a huge sized application, we'll rely on quickest and most maintainable solution.
注意:请注意我们已经开发了一个巨大的应用程序,我们将依赖最快和最可维护的解决方案。
采纳答案by Antonio Frignani
You can use a tag system similar to the BBCode or Markdown to allow your users to do certain operation. This way, you can be sure the input will be sanitized against EVERY kind of malicious script, just use a lexer and a XSS protection when displaying user content.
您可以使用类似于 BBCode 或 Markdown 的标签系统来允许您的用户进行某些操作。通过这种方式,您可以确保输入将针对各种恶意脚本进行清理,只需在显示用户内容时使用词法分析器和 XSS 保护即可。
EDIT: To see what i mean, you can use CKEditor as your WYSIWYG editor, in conjunction with the BBCode plugin:
编辑:要明白我的意思,您可以使用 CKEditor 作为您的 WYSIWYG 编辑器,结合 BBCode 插件:
回答by Guy Incognito
Can you run everything through strip_tagsand just allow the minimum tags possible?
您可以通过strip_tags运行所有内容并只允许尽可能少的标签吗?
You may also want to look at html purifierwhich should give you more options including control over css
您可能还想查看html purifier,它应该为您提供更多选项,包括对 css 的控制
What I usually do is save two copies of the WYSIWYG content:
我通常做的是保存两份所见即所得的内容:
- the original unfiltered content
- the filtered content
- 原始未过滤内容
- 过滤后的内容
This allows me to reprocess the original content if I find that something vital has been stripped out and also show the user their original html when editing. Obviously I display the filtered content wherever it is displayed on the site.
如果我发现一些重要的内容已被删除,并在编辑时向用户显示他们的原始 html,这允许我重新处理原始内容。显然,我会在网站上显示的任何地方显示过滤后的内容。
回答by Richard Torcato
using Laravel you might also have to sanitize for blade template stuff. You don't want users entering in stuff like: {{{phpInfo()}}}.
使用 Laravel,您可能还需要对刀片模板内容进行消毒。您不希望用户输入类似:{{{phpInfo()}}} 的内容。
Building a WYSIWYG editor requires the users to have some level of trust. If you don't trust the users at all your best option is what is mentioned earlier using custom tags.
构建 WYSIWYG 编辑器需要用户具有一定程度的信任。如果您根本不信任用户,那么最好的选择就是前面提到的使用自定义标签的方法。
回答by Foued MOUSSI
I beleive that xss attacks are an output problem.
我相信 xss 攻击是一个输出问题。
There is no security risk if you store
如果您存储,则没有安全风险
<script>alert('Hacking your website in 3...2...')</script>
<script>alert('Hacking your website in 3...2...')</script>
in your database - it is just text - it doesnt mean anything. I encourage escaping all output, regardless where it came from. Here is a good discussion with further points on why you should filter output, not input:
在您的数据库中 - 它只是文本 - 它没有任何意义。我鼓励转义所有输出,无论它来自哪里。这是一个很好的讨论,进一步说明了为什么应该过滤输出,而不是输入:
回答by amit
i do'nt know how feasible this is for you, but one quick and easy solution is to use httpOnlycookies . It resolves XSS attacks via injection of malicious javascript as those cookie are not accessible to javascript.You can try to put senstive data in httpOnly cookies and not so sensitive data in normal cookie. See this : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
我不知道这对您来说有多可行,但一种快速简便的解决方案是使用httpOnlycookie。它通过注入恶意 javascript 来解决 XSS 攻击,因为 javascript 无法访问这些 cookie。您可以尝试将敏感数据放在 httpOnly cookie 中,而不是将敏感数据放在普通 cookie 中。看到这个:http: //www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
