如何允许HTML标记用于输入而不易受XSS攻击
How can I allow HTML tags for input without being vulnerable to XSS?
我知道<b>
标记在XSS中是无害的,但经过测试,我发现如果添加onclick脚本标记,它可以被操纵,例如<b onclick="alert('xss');">Hello</b>
如何在这些低级别元素上防止XSS?
最好使用正则表达式:
<?php
$testStringA = '<b>I am a nice text without any evil characters</b>';
$testStringB = '<b onclick="alert(evil)">I am supposed to be evil. :) </b>';
$pattern = '/<b>[a-zA-z0-9 ]+<'/b>/';
if(preg_match($pattern, $testStringB)){
// this will NOT execute
echo "TeststringB matches our pattern";
}
if(preg_match($pattern, $testStringA)){
echo "TeststringA matches our pattern";
}
?>
将输出
TeststringA matches our pattern
然而,上面的RegEx只允许使用a-z、a-z、0-9和空格(请参见方括号),您需要根据需要进行修改。
如果您正在使用Javascript:
正则表达式的好处是,在某种程度上,它们是可移植的。我用JavaScript重写了上面的代码,以演示它对您来说更容易理解:
var re = new RegExp("/<b>[a-zA-z0-9 ]+<'/b>/");
var testStringA = '<b>I am a nice text without any evil characters</b>';
var testStringB = '<b onclick="alert(evil)">I am supposed to be evil. :) </b>';
if(re.test(testStringA)){
alert(testStringA);
}
if(re.test(testStringB)){
alert(testStringB);
}
或者看下面的小提琴:http://jsfiddle.net/3hz42/
这个函数可能对某些人有帮助,它是一个从字符串中去除XSS属性的Javascript函数。
function strip_attr(e){
var r = e.replace(/(<[^>]+) onclick=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onfocus=".*?"/i,"$1");
r = r.replace(/(<[^>]+) ondblclick=".*?"/i,"$1");
r = r.replace(/(<[^>]+) style=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmousedown=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseout=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseover=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseup=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onclick=.*?/i,"$1");
r = r.replace(/(<[^>]+) onfocus=.*?/i,"$1");
r = r.replace(/(<[^>]+) ondblclick=.*?/i,"$1");
r = r.replace(/(<[^>]+) style=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmousedown=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseout=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseover=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseup=.*?/i,"$1");
r = r.replace(/(<[^>]+) onclick='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onfocus='.*?'/i,"$1");
r = r.replace(/(<[^>]+) ondblclick='.*?'/i,"$1");
r = r.replace(/(<[^>]+) style='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmousedown='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseout='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseover='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseup='.*?'/i,"$1");
return r.replace(/(<[^>]+) class=".*?"/i,"$1").replace(/(<[^>]+) class='.*?'/i,"$1").replace(/(<[^>]+) class=.*?/i,"$1");
}
编辑
添加了安全的脚本的PHP变体
function strip_attr($e){
$r = preg_replace('/(<[^>]+) onclick=".*?"/i','$1',$e);
$r = preg_replace('/(<[^>]+) onfocus=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) ondblclick=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) style=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmousedown=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseout=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseover=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseup=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onclick=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onfocus=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) ondblclick=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) style=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmousedown=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseout=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseover=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseup=.*?/i','$1',$r);
$r = preg_replace("/(<[^>]+) onclick='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onfocus='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) ondblclick='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) style='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmousedown='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseout='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseover='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseup='.*?'/i","$1",$r);
return preg_replace("/(<[^>]+) class='.*?'/i","$1",$r);
}
输入并放入一个变量,比如:$output
$output = preg_replace('/(<[^>]+) onclick=".*?"/i', '$1', $input);
使用php函数strip_tags()
Javascript:
document.getElementsByTagName("b")[0].removeAttribute("onclick");
document.getElementsByTagName("b")[0].removeAttribute("onfocus");
相关文章:
- 如何防止在使用.val()时引入XSS漏洞
- Javascript:'受保护'范围界定
- XSS通过地址栏注入
- 如何照顾CSRF&单页应用程序中不使用cookie的XSS攻击
- Rails:如何在浏览器中显示动态html内容,而不会对其进行转义,也不会引起XSS攻击
- 如何使此链接列表受cookie支持
- JS应用程序中基于DOM的XSS保护
- XSS脚本攻击攻击->可以't调用javascript
- 域特定cookie是否易受CSRF攻击
- 如何允许HTML标记用于输入而不易受XSS攻击
- 在我的示例fiddle中,option.text()易受xs攻击
- 文档易受攻击是做什么的
- 我的PHP代码易受XSS攻击吗
- 这对XSS来说是易受攻击的吗
- 使用img标签加载不受信任的SVG时的XSS
- 这种杀菌剂易受XSS攻击吗?
- 这些html标签和属性会使我的网站易受攻击吗?
- 创建易受XSS攻击的网页
- 是php's json_encode()在嵌入脚本元素时易受攻击
- window.location=window.location易受XSS影响