javascript HTML 文本框值属性是否免受 XSS 攻击?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19636775/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Are HTML textbox value attributes safe from XSS attacks?
提问by Justin Skiles
I have a textbox where I want to allow users the ability to type in potentially dangerous characters such as <and >(this is a mathematical expression data entry field which required me to disable ASP.NET validation on the textbox). The data is stored in a database and retrieved later for display on the page. When I display the data in the textbox, I am setting it like this:
我有一个文本框,我想让用户能够在其中输入潜在危险的字符,例如<和>(这是一个数学表达式数据输入字段,需要我在文本框上禁用 ASP.NET 验证)。数据存储在数据库中,稍后检索以显示在页面上。当我在文本框中显示数据时,我是这样设置的:
textboxA.Text = expression;where expressioncomes from the database with the potentially dangerous characters.
textboxA.Text = expression;其中,expression来自于与有潜在危险的人物的数据库。
Anyway, I tried purposely inserting something like < script>alert('hi') < /script>but I can't get this script to execute when the Textproperty is set (translates to valueattribute in client-side HTML. The result looks like:
无论如何,我尝试故意插入类似的内容,< script>alert('hi') < /script>但在设置Text属性时无法执行此脚本(转换为value客户端 HTML 中的属性。结果如下所示:
< input type="text" value="<script>alert('hi')< /script>">>< /input>
< input type="text" value="<script>alert('hi')< /script>">>< /input>
So what gives, is the valueattribute safe from injections?
那么是什么给出的,该value属性是否可以避免注入?
Note: The spaces before each tag in the examples is only for StackOverflow because it deletes tags from questions.
注意:示例中每个标签前的空格仅用于 StackOverflow,因为它会从问题中删除标签。
采纳答案by Erlend
The builtin textbox control automatically encodes the text attribute. When you checked the output, did you use view source or the developer console. The console shows escaped data as unescaped, while view source will show the actual output.
内置的文本框控件会自动对文本属性进行编码。当您检查输出时,您使用的是查看源代码还是开发者控制台。控制台将转义数据显示为未转义,而查看源将显示实际输出。
Anyways, a classical attack on textbox value attributes would be:
" autofocus onfocus="alert(1)
无论如何,对文本框值属性的经典攻击是:
" autofocus onfocus="alert(1)
回答by HelpNeeder
To properly insert this code into your site you must understand how your code work. I'm not sure how ASP.net declares input field but as long it doesn't automatically encode special characters then my tip should let you insert code.
要将此代码正确插入您的站点,您必须了解您的代码是如何工作的。我不确定 ASP.net 如何声明输入字段,但只要它不自动编码特殊字符,那么我的提示应该可以让您插入代码。
If for example this is how code of your input looks like (this is input field for HTML site) where is <?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>its part of the code that inserts your script back into the HTML page (assuming you are saving value into session and redisplay the value in the textbox)
例如,如果这是您的输入代码的样子(这是 HTML 站点的输入字段),<?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>它的代码部分是将您的脚本插入回 HTML 页面(假设您将值保存到会话中并在文本框)
If you're passing argument back to the form by using the URL:
如果您使用 URL 将参数传递回表单:
http://www.website.com/index.php?username="><script>alert('hi')</script>
From
从
<input type="text" name="username"
value="<?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>">
Then the code you want to inject must look like this:
那么你要注入的代码必须是这样的:
"><script>alert('hi')</script>
Notice ">at the beginning of this code. Basically what it does is to end the value=""by using "tag and then closes input field with >.
注意">这段代码的开头。基本上它的作用是value=""通过使用"标记结束,然后使用>.
So the actual result would be:
所以实际的结果是:
<input type="text" name="username" value=""><script>alert('hi')</script>
From there you will be able to insert code such as JavaScript.
从那里您将能够插入诸如 JavaScript 之类的代码。
