admin管理员组

文章数量:1178527

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to &lt; and &gt; doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to &lt; and &gt; doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?

  • javascript
  • asp.net
  • xss
Share Improve this question edited Feb 17, 2015 at 10:53 TRiG 10.6k8 gold badges61 silver badges111 bronze badges asked Apr 17, 2011 at 20:33 M. BiolicM. Biolic 1931 gold badge1 silver badge5 bronze badges
Add a comment  | 

4 Answers 4

Reset to default 13

Not all XSS attacks include < or > at all, depending on where the data is being inserted.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Why_Can.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".

No. Here are a couple of examples where escaping <, >, ', " and & is not enough:

Example 1:

<a href="{{myUrl}}">

XSS Attack:

myUrl = "javascript:alert(1)"

Example 2:

<script>var page = {{myVar}};</script>

XSS Attack:

myVar = "1;alert(1)"

See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for ways of preventing these attacks.

No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet: http://ha.ckers.org/xss.html

You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1]. Grab this and use the appropriate output encoding:

Encoder.CssEncode()
Encoder.HtmlEncode()
Encoder.HtmlAttributeEncode()
Encoder.JavaScriptEncode()

etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.

本文标签: javascriptIs escaping lt and gt sufficient to block XSS attacksStack Overflow

版权声明:本文标题:javascript - Is escaping &lt; and &gt; sufficient to block XSS attacks? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1738053589a2055880.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。