可以把 Anti-XSS 的功能交给浏览器吗?
所谓的 XSS 就是用户提交的内容中含有恶意的 js 代码,之后这段代码又被展现在特定的地方被执行了,所以就可以在浏览者当前的会话下执行 js 内容,比如偷取 cookie 或者发送 ajax 请求什么的。
虽然可以全部将用户提交的内容转义(比如 CGI.escape 或 Rails 中的 h 方法),但是很多时候还是希望接收用户提供的 html 代码,来展示样式、图片、连接之类。
这样就只好用白名单(比如 Rails 里面的 sanitize),过滤掉不想要的标签和属性,比如 <script> 标签,还有 onfocus onload 这些属性,但是这样消耗资源不说,还是不能解决问题。因为在一些其他的地方还是可以出发 js 的执行,比如 src"javascript:xxx" 这种形式,还有诸多意想不到的混乱式写法都可以触发 js。
这次升级至 Rails 2.3.8,切换到 Erubis,默认转义 html 内容和那个 html_safe 的方法的确可以避免一些无意间把 html 内容展示出来的情况,但是对那种就是要展示用户 html 代码的情况没有帮助。
于是开始想为啥浏览器不提供这种功能,例如提供个 <scruptoff> 和 <scripton> 两个标签,在 <scriptoff> 之后不做任何 js 解析,除非再被 <scripton>:
<scriptoff /> ...用户内容 <scripton />
这样还是没有解决问题,因为用户也可以输入 <scripton /> 把 js 打开,那么可以给标签指定一个随机 key,只有 key 相同,才可以再次打开或关闭 js:
<scriptoff key="8C5D24E"/> ...用户内容 <scripton key="8C5D24E"/>
用 Rails 的 Helper 很容易生成这类标签,用户输入的内容却不能猜出 key 是什么所以不能打开 js。
这样就省事多了。不过应该还有什么没考虑到的情况吧……
RSS
2010年6月29日 19:56
还可以这样
<scriptoff length="1500">
.......1500个字符
</scriptoff>
2010年6月30日 22:05
的确,这也是个好办法~
2018年7月18日 15:30
但是很多时候还是希望接收用户提供的 html 代码,来展示样式、图片、连接之类。
2018年12月03日 11:32
Your article content is being a lot of people interested, I am very impressed with your post. I hope to receive more posts.
2019年1月25日 14:38
Thanks for giving me the useful information. I think I need it!
2019年1月25日 14:39
The information you have posted is very useful.
2019年1月25日 14:40
The sites you have referred was good. Thanks for sharing.
2020年11月23日 06:13
The app has many games to choose from. It also has baccarat. And live casinos to play Some of you may have heard of pusy slots in the name "Pussy 888". เล่น สล็อตออนไลน์
2021年5月30日 15:28
A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. I was exactly searching for. Thanks for such post and please keep it up supreme saunas
2021年6月01日 15:05
A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. I was exactly searching for. Thanks for such post and please keep it up credit
2021年6月02日 16:11
Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!THANKS!!!!!! Door Replacement Companies
2021年6月07日 21:11
Thank you for taking the time to publish this information very useful! Outdoor sauna
2021年7月29日 21:10
I needed to thank you for this phenomenal read!! I unquestionably adored each and every piece of it. I have you bookmarked your site to look at the new stuff you post. 먹튀검증
2021年8月22日 18:48
You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. เกมสล็อต
2021年8月30日 17:55 This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. view publisher site
2021年9月02日 19:31
You know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant! casino
2021年9月06日 04:18
I'm going to learn this. I'll make sure to come back. thanks for sharing. and also This short article provides the light by which we are able to observe the reality. this really is good one and gives indepth information. thanks for this nice article... Ruletka online
2021年9月09日 15:50
Wow! This amazing and helpful post this is. I must say i really love it. It's so good and so awesome. I am just amazed. I am hoping that you continue to complete work similar to this as time goes on also https://www.studyinpoland.pl/app/inc/?5_wskazowek__jak_wybrat_kasyno_online.html
2021年9月09日 16:28
This type of message always inspiring and I prefer to see quality content, so happy to get good place to many within the post, the writing is merely great, thanks for the post. https://q4.pl/aktualnosci/2021/09/02/bonusy-w-kasynach-online-w-2021
2021年9月09日 16:46
This content is written very well. Your usage of formatting when creating your points makes your observations very clear and an easy task to understand. Thank you. blog.ss-blog
2021年10月01日 19:10 thanks this is good blog. mossberg 590a1 retrograde for sale
2021年10月03日 00:03
Your blog is too much amazing. I have found with ease what I was looking. Moreover, the content quality is awesome. Thanks for the nudge! Aplikasi Saham
2021年10月23日 17:52
Thank you very much for writing such an interesting article on this topic. This has really made me think and I hope to read more. Medical device crowdfunding
2021年10月23日 18:05
Nice to be visiting your blog once more, it has been months for me. Well this article that ive been waited for therefore long. i want this article to finish my assignment within the faculty, and it has same topic together with your article. Thanks, nice share. Crowdfunding Consultants
2021年10月24日 17:30
2021年10月26日 19:00
Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks đồng hồ dw dây sọc
2021年10月26日 21:06
Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. Scout Roles
2021年10月30日 22:18
I am very happy to discover your post as it will become on top in my collection of favorite blogs to visit. Wefunder Review
2021年10月31日 14:51
What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. ar15 lower
2021年10月31日 18:49
Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. https://webtoolsai.com
2021年11月20日 20:41
Relating to a few days ago begun a great webpage, the knowledge everyone deliver on this amazing site offers improved my family dramatically. Kudos created for all of your time & job. Pre Wedding Photographer in Goa
2021年11月20日 20:42
Concerning a short while ago begun a great webpage, the info everyone deliver on this site offers improved my family dramatically. Kudos intended for your entire time & job. Best Event Photographer in Bangalore
2021年11月20日 20:42
This particular is a superb publish We observed because of reveal this. It really is exactly what I needed to determine wish within long term you'll carry on with regard to discussing this type of superb publish. boudoir photographer in Kolkata
2021年11月20日 20:43
Wonderful posting, Thanks a ton to get spreading The following awareness. Wonderfully authored posting, doubts all of blog owners available precisely the same a higher standard subject material just like you, online has got to be improved site. I highly recommend you stay the best! bachelorette party organiser in Dubai
2021年11月22日 20:04
howdy, your websites are really good. I appreciate your work. Wefunder
2021年12月03日 21:02
I visit your blog regularly and recommend it to all of those who wanted to enhance their knowledge with ease. The style of writing is excellent and also the content is top-notch. Thanks for that shrewdness you provide the readers! Beauty courses kent
2021年12月16日 22:54
I have been browsing on-line greater than three hours as of late, yet I never found any fascinating article like yours. It’s beautiful price enough for me. Personally, if all web owners and bloggers made good content as you did, the internet shall be a lot more helpful than ever before. Watch dealer West Yorkshire
2022年2月10日 22:11
Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. StartEngine Success Stories
2022年2月10日 22:12
Great knowledge, do anyone mind merely reference back to it Republic Stocks
2022年2月10日 22:15
Wow, cool post. I’d like to write like this too – taking time and real hard work to make a great article… but I put things off too much and never seem to get started. Thanks though. StartEngine Fees
2022年2月11日 02:54
Everything has its value. Thanks for sharing this informative information with us. GOOD works! ยี่กี่ lotto
2022年2月11日 02:54
A great content material as well as great layout. Your website deserves all of the positive feedback it's been getting. I will be back soon for further quality contents. xoslot
2022年2月19日 03:02
Great post man, keep the nice work, just shared this with my friendz محامي السعودية
===================================================
Sweet website , super layout, really clean and utilize genial . شراء عقارات تركيا
===================================================
Eventually, the author make an update for a blog. I used to be waiting anxiously for your own next update. I am hoping you will consider updating often so your readers may follow along. I do not have much joy in life today but your blog is one of them. I recognize life is busy but I really hope you will take the time to keep us modified on any progress. محامي السعودية
2022年3月03日 15:08
This is a good post. This post gives truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. Thank you so much. Keep up the good works. florarie florisis
2022年3月10日 17:42
Believe it or not, it is the type of information I’ve long been trying to find. It matches to my requirements a lot. Thank you for writing this information. Book appointment
2022年3月19日 14:29
Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! Order online
2022年3月22日 16:44
Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people.. Liv@MB Floor Plan
===================================================
This was really an interesting topic and I kinda agree with what you have mentioned here! inpoterbaru
2022年3月31日 21:17
You have done a great job on this article. It's very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. Book your session
2022年4月12日 04:13
Cool stuff you have got and you keep update all of us. jili slot
2022年4月12日 04:58
Efficiently written information. It will be profitable to anybody who utilizes it, counting me. Keep up the good work. For certain I will review out more posts day in and day out. pragmatic play
2022年4月12日 19:11
Great job here on _______ I read a lot of blog posts, but I never heard a topic like this. I Love this topic you made about the blogger's bucket list. Very resourceful. 918kiss
2022年4月12日 20:04
The writer has outdone himself this time. It is not at all enough; the website is also utmost perfect. I will never forget to visit your site again and again. sa game
2022年4月18日 20:00
I have read all the comments and suggestions posted by the visitors for this article are extremely fine,We will wait for your following article so only.Thanks! Virtual tours yorkshire
2022年4月21日 03:28
Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging.. prijsvergelijk
2022年4月22日 04:29
You have performed a great job on this article. It’s very precise and highly qualitative. You have even managed to make it readable and easy to read. You have some real writing talent. Thank you so much. tower extension
2022年4月23日 00:21 You have performed a great job on this article. It’s very precise and highly qualitative. You have even managed to make it readable and easy to read. You have some real writing talent. Thank you so much. shein discount code uk
2022年4月23日 00:55
I have read your article couple of times because your views are on my own for the most part. It is great content for every reader. using WordPress
2022年4月28日 23:59
You could definitely see your skills in the work you write. The world hopes for more passionate writers like you who aren’t afraid to say how they believe. At all times follow your heart UV IR Flame Detector
==================================================================
Pretty right subdivision. I just came across your website and wanted to tell that I have really enjoyed reading your opinions. AnyhowI’ll be coming back and I hope you post again soon. شرکت پشتیبانی شبکه
2022年5月02日 19:21
Very interesting points you have remarked, appreciate it for putting up. growing crops
2022年5月03日 01:50
But a smiling visitor here to share the love btw great pattern . Executive
2022年5月04日 17:21
of fighters to grace the Manny Pacquiao vs Shane Mosley Pay Per View event scheduled today matress
======================================================================
I like what you guys are up also. Such clever work and reporting! Carry on the excellent works guys I have incorporated you guys to my blogroll. I think it will improve the value of my website . baby bed bugs
2022年9月22日 02:32
KVS Sample Paper 2023 Pdf Download for Kendriya Vidyalaya Sangathan Class 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 & 12 Arts, KVS Model Paper Science & Commerce Stream Practice Paper Suggestions with Past years old exam Solved Question Bank for all Regional Students of English Medium, Hindi Medium & Urdu Medium Studying in KVS Schools across the Country. All the Kendriya Vidyalaya Sangathan Board Students can download the Sample Paper Suggestions with Model Papers along with Previous Years old Exam Solved Question Bank for all Languages & Subjects of the Course.
2023年8月07日 03:30
I truly like you're composing style, incredible data, thankyou for posting. 먹튀검증
2023年8月09日 04:24
Great site! I genuinely cherish how it is simple on my eyes it is. I am considering how I may be told at whatever point another post has been made. I have subscribed to your RSS which may do the trap? Have an extraordinary day! Ac repair las vegas
2023年8月28日 06:10
Your online journal gave us important data to work with. Each and every tips of your post are wonderful. You rock for sharing. Continue blogging.. conversion
2023年9月03日 07:09
Extraordinary post, you have pointed out some phenomenal focuses , I in like manner think this s an extremely great site. 먹튀검증
2023年10月03日 04:58
I discovered your this post while hunting down some related data on website search...Its a decent post..keep posting and upgrade the data. 토토사이트