本文介绍了如何安全地使用 fckEditor,没有跨站脚本的风险?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

此链接描述了使用 fckEditor 对我的应用程序的利用:http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html

This link describes an exploit into my app using fckEditor:http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html

如何在仍然使用 fckEditor 的同时使我的应用程序安全?它是 fckEditor 配置吗?从 fckEditor 获取文本后,我应该在服务器端进行一些处理吗?

How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?

这是一个难题,因为 fckEditor 使用 html 标签进行格式化,所以当我显示文本时我不能只进行 HTML 编码.

It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.

推荐答案

清理 html 服务器端,别无选择.对于 PHP,它将是 HTML Purifier,对于 .NET 我不知道.清理 HTML 很棘手 - 仅去除脚本标签是不够的,您还必须注意 on* 事件处理程序,甚至更多,这要归功于 IE 的愚蠢行为.

Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.

此外,使用自定义 html 和 css 很容易劫持您网站的外观和布局 - 使用覆盖所有屏幕等的覆盖(绝对定位).为此做好准备.

Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.

这篇关于如何安全地使用 fckEditor,没有跨站脚本的风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-24 19:03