douqiu9529 2013-07-20 02:36
浏览 98

XSS基本理解

I'm using Symfony2 / Twig / Doctrine.

I'm looking at security on my site and in particular preventing XSS attacks, but I can't see what more I can do.

  1. Persistent

    I use Doctrine and always ensure I make user input safe, refusing HTML, web addresses and email addresses etc. (if applicable, e.g. a comment box). I also use Twig (which I believe escapes output).

  2. Reflective

    My understanding is that anyone could send an email to someone with a link to any website that also injects JavaScript. That JS can of course do anything. That JS could have a login form be submitted to any web address and there is nothing you can do (other than hope stupid people don't click links from random people to my site's login page).

So unless you can prevent JS being injected, then what more can I do?

I don't believe you can prevent a site from running a JS script on another server (my valid JS comes from a CDN anyway which is on another server) and I don't think you can prevent a HTML form being submitted to another server.

I do believe that cross domain protection does prevent the injected JS calling an Ajax request though - but I haven't done anything about this, I just think that is how modern browsers work.

Is anything else in my hands? As long as I have done eveything else possible that's enough for me.

I suppose I'm wondering why there isn't much I can do about this when some people make a living out of advising on XSS protection. Maybe it's because I use Symfony2 / Twig / Doctrine?

Just looking for help to clarify my understanding.

  • 写回答

1条回答 默认 最新

  • doujin8476 2014-01-08 16:27
    关注

    Content Security Policy solves the problem of injected javascript by banning any inline javascript and validating content sources.

    Info: https://developer.mozilla.org/en-US/docs/Security/CSP/Using_Content_Security_Policy

    Browser support: http://caniuse.com/contentsecuritypolicy

    评论

报告相同问题?

悬赏问题

  • ¥15 MATLAB yalmip 可转移负荷的简单建模出错,如何解决?
  • ¥15 数学的三元一次方程求解
  • ¥20 iqoo11 如何下载安装工程模式
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?