文章/答案/技术大牛

发布

社区首页 >问答首页 >在下面的代码中如何防止XSS？

问在下面的代码中如何防止XSS？
EN

Stack Overflow用户

提问于 2015-12-14 15:12:42

回答 3查看 1.9K关注 0票数 6

我用HTML5 + Javascript写了一些代码，当用户在User中输入他的名字时，它会像"Hello <user>“.Now一样反射回来，这个脚本容易受到XSS (跨站点脚本)的攻击。

下面是我的代码：

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>Forms Welcome</title>

<script>
function write_name(){

    var welcome_parra = document.getElementById('welcome');
    var name =  document.getElementById('name');
    welcome_parra.innerHTML = "welcome " + name.value;
}
</script>
</head>

<body>
    <p id="welcome"></p>
    <form>
        Username: <input type="text" name="username" maxlength="20" id="name"/>
        <input type="button" value="done"onclick="write_name();">
    </form>
 /body>

</title>

现在，当我输入有效负载"><img src=x onerror=prompt(404)>时，会得到XSS提示。那么我该如何纠正它呢？

有没有人可以检查一下主机，试着修补一下bug，然后给我一个原因？

xss

javascript

web

回答 3

Stack Overflow用户

发布于 2015-12-14 15:24:07

您可以对输入进行HTML编码，使其成为XSS安全的。添加函数：

function escapeInput(input) {
    return String(input)
            .replace(/&/g, '&amp;')
            .replace(/"/g, '&quot;')
            .replace(/'/g, '&#39;')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;');
}

并对用户输入进行编码：

<script>
function write_name(){

    var welcome_parra = document.getElementById('welcome');
    var name =  document.getElementById('name');
    welcome_parra.innerHTML = "welcome " + escapeInput(name.value);
}
</script>

票数 6

Stack Overflow用户

发布于 2015-12-14 15:19:16

您可以尝试执行以下操作：

function checkInput(string) {
    var regex = /^[^0-9*\\\^\/<>_#']+$/;
    if(regex.test(string)) {
        return true;
    } else {
        return false;
    }
}

这样，您就可以知道字母是否用于XSS攻击，然后就不发送表单了

我还使用此函数来验证表单，而不是上面的函数：

checkField:function(string, type) {
    var regex;
    switch (type) {
        case "number":
            regex = /^[\d]+$/;
            break;
        case "string":
            regex = /^[^0-9*\\\^\/<>_#']+$/;
            break;
        case "email":
            regex = /^([a-zA-Z0-9_.+-])+\@(([a-zA-Z0-9-])+\.)+([a-zA-Z0-9]{2,7})+$/;
            break;
    }
    if (regex.test(string)) {
         return true;
    } 
    return false;
},

在那里你可以添加你想要的和需要的案例。我希望这能对你有所帮助。

但是为了保证100%的安全，你必须在服务器上验证表单，所以我遵循两个简单的规则：

规则一:永远不要使用未选中的表单数据

规则二:在不替换脚本或代码相关部分(如<%>/\等)的情况下，不要使用表单数据

因为我可以简单地复制您的表单并将其发送到确切的地址，所以我将绕过客户端检查/验证，但是对于您的情况，因为您不会将表单发送到其他地方，所以防止输入代码就足够了

更新：

Javascript在brainfuck基础上编译了一些奇特的xss攻击，例如

(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+!+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()

它将在警告窗口中给出1...

那些用过的字母也应该检查一下

票数 4

Stack Overflow用户

发布于 2016-01-14 15:39:23

这非常简单，只需将其赋值给innerText而不是innerHtml。

welcome_parra.innerText = "welcome " + name.value;

票数 0

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/34261522

复制

相似问题

问在下面的代码中如何防止XSS？
EN

回答 3

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在下面的代码中如何防止XSS？EN

回答 3

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在下面的代码中如何防止XSS？
EN