已知样式属性XSS攻击如:
<DIV STYLE="width: expression(alert('XSS'));">
要么
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
我见过的所有例子都使用了表达式或网址功能 - 基本上就像需要"(和")"这样的功能.
我正在考虑使用过滤样式标签的方法,我会使用以下(近似)语法检查它们:
identifier: [a-zA-Z_][a-zA-Z0-9\-]*
number: [0-9]+
string: '[a-zA-Z_0-9 ]*'
value : identifier | number | string | number + "(em|px)" | number +"%"
entry: identifier ":" value (\s value )*
style: (entry ;)*
所以基本上我允许带有数值的ASCII属性或非常有限的字符串值(基本上是字体名称)不允许使用看起来像调用的任何东西.
问题是这还够好吗?有没有可能做类似的攻击:
<DIV STYLE="this-is-js-property: alert 'XSS';">
并成功?
谁能想到这种测试的XSS漏洞?
说清楚
我需要样式属性,因为许多工具(如TinyMCE)使用它们并过滤无害的样式属性会严重损害功能.
所以我更喜欢通过常见的情况删除所有可能使用@ import,url,expression等的东西.还要确保基本的css语法没问题.
回答
不,由于点击顶级漏洞,它不安全.
使用GDI +进行编程时,我是否需要坚持使用模式来处理各种对象,如Brush,Font,这会使代码变得非常混乱.
有什么建议?
我在我的Myfaces 2应用程序中进入实例化异常.但是通过log4j进行的异常打印正在切断堆栈跟踪的其余部分.这是我所看到的:
位于org.apache.myfaces.el.unified.resolver.ManagedBeanResolver.createManagedBean(ManagedBeanResolver.java)的org.apache.myfaces.config.ManagedBeanBuilder.buildManagedBean(ManagedBeanBuilder.java:240)中的javax.faces.FacesException:java.lang.InstantiationException :303)位于org.apache.myfaces.el的javax.el.CompositeELResolver.getValue(CompositeELResolver.java:54)的org.apache.myfaces.el.unified.resolver.ManagedBeanResolver.getValue(ManagedBeanResolver.java:266).在org.apache.myfaces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:65)的org.apache.myfaces.el.convert.VariableResolverToELResolver.getValue(VariableResolverToELResolver.)中的unified.resolver.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:142). java:116)在org.apache.el.parser的org.apache.myfaces.el.unified.resolver.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:142)的javax.el.CompositeELResolver.getValue(CompositeELResolver.java:54) .AstIdentifier.getValue(AstIdentifier.java:61)org.apache.el.parser.AstValue.getValue(AstValue.java:107)org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)org.apache.myfaces.view.facelets.el.TagValueExpression .getValue(TagValueExpression.java:85)位于javax.faces.component.UIOutput.getValue(UIOutput.java:71)javax.faces.component._DeltaStateHelper.eval(_DeltaStateHelper.java:243)的javax.faces.component.位于org.apache.myfaces.shared_impl.renderkit.RendererUtils.getObjectValue(RendererUtils.java:238)的javax.faces.component.UISelectBoolean.getValue(UISelectBoolean.java:148)的UIInput.getValue(UIInput.java:143) .apache.myfaces.shared_impl.renderkit.RendererUtils.getBooleanValue(RendererUtils.java:193)在org.apache.myfaces.shared_impl.renderkit.html.HtmlCheckboxRendererBase.encodeEnd(HtmlCheckboxRendererBase.java:79)在javax.faces.component.UIComponentBase .encodeEnd(UIComponentBase.java:519)at javax.faces.component.UIComponent.encodeAll(UIComponent.java:626)at javax.faces.component.UIComponent .encodeAll(UIComponent.java:622)位于org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.renderView(FaceletViewDeclarationLanguage.java:1320)的javax.faces.component.UIComponent.encodeAll(UIComponent.java:622). apache.myfaces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:263)位于org.apache.myfaces.tomahawk.application.ResourceViewHandlerWrapper.renderView(ResourceViewHandlerWrapper)的javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:59). java:93)org.apache.myfaces.lifecycle.RenderResponseExecutor.execute(RenderResponseExecutor.java:85)at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:239)at javax.faces.webapp.FacesServlet .service(FacesServlet.java:191)org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)at org. apache.myfaces.webapp.filter.ExtensionsFilter.doFi lter(ExtensionsFilter.java:349)org.apache上的org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)中的.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)位于org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java) :128)org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)atg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)org.apache.catalina.connector. CoyoteAdapter.service(CoyoteAdapter.java:293)org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)org .apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)在org.apache.jk.common.ChannelSocket.processConnection(Chann)elSocket.java:698)org.apache.jk.common.ChannelSocket $ SocketConnection.runIt(ChannelSocket.java:891)at org.apache.tomcat.util.threads.ThreadPool $ ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:619)由java.lang.reflect.Constructor.newInstance(构造函数)中的sun.reflect.InstantiationExceptionConstructorAccessorImpl.newInstance(InstantiationExceptionConstructorAccessorImpl.java:30)引起的java.lang.InstantiationException .java:513)java.lang.Class.newInstance0(Class.java:355)at java.lang.Class.newInstance(Class.java:308)at org.apache.myfaces.config.annotation.TomcatAnnotationLifecycleProvider.newInstance( TomcatAnnotationLifecycleProvider.java:49)org.apache.myfaces.config.ManagedBeanBuilder.buildManagedBean(ManagedBeanBuilder.java:162)... 48更多
我无法找到更改配置的位置,因此我可以看到"... 48以上".有任何想法吗?
class theClass{
function doSomeWork($var){
return ($var + 2);
}
public $func = "doSomeWork";
function theFunc($min, $max){
return (array_map(WHAT_TO_WRITE_HERE, range($min, $max)));
}
}
$theClass = new theClass;
print_r(call_user_func_array(array($theClass, "theFunc"), array(1, 5)));
exit;
任何人都可以在WHAT_TO_WRITE_HERE中告诉我可以写什么,以便doSomeWork函数作为第一个参数传递给array_map.和代码正常工作.
并且放弃作为
Array
(
[0] => 3
[1] => 4
[2] => 5
[3] => 6
[4] => 7
)
所以基本上我的问题是.边界CGRect是否随屏幕方向而变化还是静态的?
谢谢!
只是做我的Homeworks并发现了这件作品
A[j]=A[j-1];
j--;
有没有办法简化这一行?编辑一个声明?
我试过了
A[j--]=A[j];
但似乎效果不好.
代码来自InsertSort算法
编辑这个问题不需要做我的作业,我只是好奇
是否有(兼容的,如果可能的话)确定加载类的绝对路径的方法?
当然,这并不总是可行的(如果你想到动态创建的类),但如果加载的Class在jar中,如何获取这个jar的绝对路径?
我有一些可疑的应用程序向网站发出HTTP请求,我想与该请求相交并将其他数据发送到服务器.这可能在C#,java或C++中吗?
编辑:应用程序不是我的,我只知道它发送http请求的端点
是否有关于何时停止链接方法的指南,而是将链分解为多个表达式?
考虑例如这个Python代码,它构建一个字典,word为key,相应的count为值:
def build_dict(filename):
with open(filename, 'r') as f:
dict = defaultdict(int)
for word in f.read().lower().split(): # too much?
dict[word] += 1
return dict
链接3种方法好吗?通过分割表达式,我可以获得任何显着的好处吗?
我一直在努力解决这个问题.
我在Snow Leopard机器上安装了Rails 3,gem,mysql.一切顺利,直到我创建了我的第一个项目并试图运行
rails server
运行这个我得到:
jontybrook$ rails server
/Library/Ruby/Gems/1.8/gems/mysql2-0.2.6/lib/mysql2/mysql2.bundle: dlopen(/Library/Ruby/Gems/1.8/gems/mysql2-0.2.6/lib/mysql2/mysql2.bundle, 9): Library not loaded: libmysqlclient.16.dylib (LoadError)
Referenced from: /Library/Ruby/Gems/1.8/gems/mysql2-0.2.6/lib/mysql2/mysql2.bundle
Reason: image not found - /Library/Ruby/Gems/1.8/gems/mysql2-0.2.6/lib/mysql2/mysql2.bundle
from /Library/Ruby/Gems/1.8/gems/mysql2-0.2.6/lib/mysql2.rb:7
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler/runtime.rb:64:in `require'
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler/runtime.rb:64:in `require'
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler/runtime.rb:62:in `each'
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler/runtime.rb:62:in `require'
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler/runtime.rb:51:in `each'
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler/runtime.rb:51:in `require'
from /Library/Ruby/Gems/1.8/gems/bundler-1.0.7/lib/bundler.rb:112:in `require'
from /Users/jontybrook/Dropbox/CODING/simple_cms/config/application.rb:7
from /Library/Ruby/Gems/1.8/gems/railties-3.0.3/lib/rails/commands.rb:28:in `require'
from /Library/Ruby/Gems/1.8/gems/railties-3.0.3/lib/rails/commands.rb:28
from /Library/Ruby/Gems/1.8/gems/railties-3.0.3/lib/rails/commands.rb:27:in `tap'
from /Library/Ruby/Gems/1.8/gems/railties-3.0.3/lib/rails/commands.rb:27
from script/rails:6:in `require'
from script/rails:6
jontybrook$
据我所知,问题在于mysql2 gem.MySQL似乎运行正常,我的Gemfile引用了mysql2,我的database.yml文件似乎还可以.
错误提到
Reason: image not found - /Library/Ruby/Gems/1.8/gems/mysql2-0.2.6/lib/mysql2/mysql2.bundle
但是
jontybrook$ cd …java ×3
c# ×2
coding-style ×2
.net ×1
arrays ×1
c ×1
c++ ×1
classloader ×1
gdi ×1
gdi+ ×1
html ×1
http ×1
ipad ×1
iphone ×1
jar ×1
javascript ×1
log4j ×1
mysql ×1
obfuscation ×1
objective-c ×1
php ×1
python ×1
reflection ×1
rubygems ×1
webrick ×1
xss ×1