如何在以下代码中防止XSS？

Question

我在HTML5 + Javascript中编写了一些代码,当用户在User中输入他的名字时,它会像" Hello <user>" 一样反映出来.现在这个脚本容易受到XSS(跨站点脚本)的攻击.

这是我的代码:

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>Forms Welcome</title>

<script>
function write_name(){

    var welcome_parra = document.getElementById('welcome');
    var name =  document.getElementById('name');
    welcome_parra.innerHTML = "welcome " + name.value;
}
</script>
</head>

<body>
    <p id="welcome"></p>
    <form>
        Username: <input type="text" name="username" maxlength="20" id="name"/>
        <input type="button" value="done"onclick="write_name();">
    </form>
 /body>

</title>

现在,当我输入有效载荷时"><img src=x onerror=prompt(404)>,我得到了XSS的提示.那么我该如何纠正呢？

任何人都可以检查主机,尝试修补错误,并给我一个理由？

Answer 1

您可以对输入进行HTML编码,使其对XSS安全.添加功能:

function escapeInput(input) {
    return String(input)
            .replace(/&/g, '&')
            .replace(/"/g, '"')
            .replace(/'/g, ''')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;');
}

并编码用户输入:

<script>
function write_name(){

    var welcome_parra = document.getElementById('welcome');
    var name =  document.getElementById('name');
    welcome_parra.innerHTML = "welcome " + escapeInput(name.value);
}
</script>

Answer 2

您可以尝试以下操作：

\n\n

function checkInput(string) {\n    var regex = /^[^0-9*\\\\\\^\\/<>_#\']+$/;\n    if(regex.test(string)) {\n        return true;\n    } else {\n        return false;\n    }\n}\n

\n\n

这样你就可以知道字母是否用于 XSS 攻击，然后就不要发送表单了

\n\n

除了上述之外，我还使用此函数来验证表单：

\n\n

checkField:function(string, type) {\n    var regex;\n    switch (type) {\n        case "number":\n            regex = /^[\\d]+$/;\n            break;\n        case "string":\n            regex = /^[^0-9*\\\\\\^\\/<>_#\']+$/;\n            break;\n        case "email":\n            regex = /^([a-zA-Z0-9_.+-])+\\@(([a-zA-Z0-9-])+\\.)+([a-zA-Z0-9]{2,7})+$/;\n            break;\n    }\n    if (regex.test(string)) {\n         return true;\n    } \n    return false;\n},\n

\n\n

您可以根据需要添加任意数量的案例。我希望这能以任何方式帮助你

\n\n

但要 100% 安全地抵御 xss 攻击，您必须验证服务器上的表单，因此我遵循 2 个简单的规则：
\n规则一：切勿使用未选中的表单数据\xc2\xb4s
\n规则二：切勿使用表单数据\ xc2\xb4s 无需替换脚本或代码相关部分，例如 <%>/\\ 等

因为我可以简单地复制您的表单并将其发送到确切的地址，所以我会绕过客户端检查/验证，但对于您的情况，因为您不将表单发送到其他地方，防止输入代码应该足够了

\n\n

更新：

\n\n

Javascript 在 Brainfuck 基础上编译了一些奇特的 xss 攻击，仅举个例子

\n\n

(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+!+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()\n

\n\n

这将在警报窗口中给出 1...

\n\n

那些使用过的字母也应该检查

\n