问题描述:

In JavaScript, is there any known string that can cause mischief if we filter out all 'less than' ('<') characters then display the result as HTML?

var str = GetDangerousString().toString();

var secure = str.replace(/</g, '');

$('#safe').html(secure); // or

document.getElementById('safe').innerHTML = secure;

This question addresses sanitizing ID's in particular. I'm looking for a general HTML string. Ideal answer is the simplest working example of a string that would inject code or other potentially dangerous elements.

网友答案:

That's not enough for sure... You need to HTML encode any HTML you embed in your pages that you want to be editable by an end user. Otherwise, you need to sanitize it.

You can find out more here at the Owasp site

EDIT: In response to your comment, I'm not 100% sure. It sounds like double encoding will get you in some cases if you're not careful.

https://www.owasp.org/index.php/Double_Encoding

For example, this string from that page is supposed to demonstrate an exploit that hides the "<" character:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

Also, the character "<" can be encoded lots of different ways in HTML, as suggested by this table:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences

So to me, that's the thing to be careful of - the fact that there may be exploitable cases that are hard to understand, but may leave you open.

But back to your original question - can you give me an example of HTML that renders as HTML that doesn't contain the "<" character? I'm trying to understand what HTML you want users to be able to use that would be in an "id".

Also, if your site is small, if you're open to rewriting parts of it (specifically how you use javascript in your pages), then you could consider using Content Security Policies to protect your users from XSS. This works in most modern browsers, and would protect lots of your users from XSS attacks if you were to take this step.

相关阅读:
Top