服务器端javascript中阻止XSS

服务器端javascript中阻止XSS

本文介绍了在Node.js/服务器端javascript中阻止XSS的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

您知道如何防止对node.js应用程序进行XSS攻击吗?那里有任何可以处理移除href,onclick属性等中的javascript的库.从发布的数据中获取?

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

我不想为所有这些写正则表达式:)

I don't want to have to write a regex for all that :)

有什么建议吗?

推荐答案

建议从Google Caja借用JS中基于白名单的HTML清理器,据我快速浏览所知,该清理器实现了HTML SAX解析器,依靠浏览器的DOM.

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

更新:此外,请记住,Caja消毒器显然已经过全面,专业的安全审查,而正则表达式以易于破坏安全性的方式而出名,因此广为人知.

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

更新2017年9月24日::现在也有 DOMPurify .我尚未使用它,但看起来它达到或超过了我要寻找的每一个要点:

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

  • 尽可能依靠运行时环境提供的功能. (对于性能和最大化安全性而言,尽可能多地依赖经过充分测试的成熟实现,这很重要.)

  • Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

  • 对于Node.JS依赖于浏览器的DOM或 jsdom .

默认配置旨在尽可能减少剥离,同时仍保证删除javascript.

Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

  • 支持HTML,MathML和SVG
  • 在IE8和IE9下回到Microsoft专有的,不可配置的toStaticHTML.

高度可配置,使其适用于对可以包含任意HTML(例如WYSIWYG或Markdown注释字段)的输入施加限制. (实际上,这是这里的顶端)

Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

  • 支持常用的标记/属性白名单/黑名单和URL正则表达式白名单
  • 具有特殊的选项,可以对某些常见类型的HTML模板元字符进行进一步的清理.

他们对兼容性和可靠性很认真

They're serious about compatibility and reliability

  • 在16种不同的浏览器以及Node.JS的三个不同主要版本上运行的自动化测试.
  • 为确保开发人员和CI主机都在同一页面上,将发布锁定文件.

这篇关于在Node.js/服务器端javascript中阻止XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-11 09:50