drjun1994 2015-06-03 07:23
浏览 22

防止数据属性中的Javascript注入

I have a script that pulls a text from an API and sets that as a tooltip in my html.

<div class="item ttip" data-html="<?php echo $obj->titleTag;?>">...</div>

The API allows html and javascript to be entered on their side for that field.

I tried this $obj->titleTag = htmlentities(strip_tags_content($this->channel->status)));

I now had a user that entered the following (or similar, he is blocked now I cannot check it again):

\" <img src="xx" onerror=window.location.replace(https://www.youtube.com/watch?v=IAISUDbjXj0)>

which does not get caught by the above. I could str_replace the window.location stuff, but that seems dirty. What would be the right approach? I am reading a lot of "Whitelists" but I don't understand the concept for such a case.

//EDIT strip_tags_content comes from here: https://php.net/strip_tags#86964

  • 写回答

1条回答 默认 最新

  • dongque1646 2015-06-03 07:36
    关注

    Well, It's not tags you're replacing now but code within tags. You need to allow certain attributes in your code rather than stripping tags since you've only got one tag in there ;)

    What you wanna do is check for any handlers being bound in the JS, a full list here, and then remove them if anything contains something like onerror or so

    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?