admin管理员组文章数量:1318573
I wrote some code in HTML5 + Javascript, that when a User enters his name in User, then it gets reflected back like "Hello <user>" .Now this script is vulnerable to XSS (Cross site scripting).
Here is my code:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>Forms Wele</title>
<script>
function write_name(){
var wele_parra = document.getElementById('wele');
var name = document.getElementById('name');
wele_parra.innerHTML = "wele " + name.value;
}
</script>
</head>
<body>
<p id="wele"></p>
<form>
Username: <input type="text" name="username" maxlength="20" id="name"/>
<input type="button" value="done"onclick="write_name();">
</form>
/body>
</title>
Now, when I enter the payload "><img src=x onerror=prompt(404)>, I get a prompt of XSS. So how do I rectify it?
Can anyone please check the host, try and patch the bug and give me a reason?
I wrote some code in HTML5 + Javascript, that when a User enters his name in User, then it gets reflected back like "Hello <user>" .Now this script is vulnerable to XSS (Cross site scripting).
Here is my code:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>Forms Wele</title>
<script>
function write_name(){
var wele_parra = document.getElementById('wele');
var name = document.getElementById('name');
wele_parra.innerHTML = "wele " + name.value;
}
</script>
</head>
<body>
<p id="wele"></p>
<form>
Username: <input type="text" name="username" maxlength="20" id="name"/>
<input type="button" value="done"onclick="write_name();">
</form>
/body>
</title>
Now, when I enter the payload "><img src=x onerror=prompt(404)>, I get a prompt of XSS. So how do I rectify it?
Can anyone please check the host, try and patch the bug and give me a reason?
Share Improve this question edited Feb 27, 2017 at 19:30 Jonathan Leffler 755k145 gold badges949 silver badges1.3k bronze badges asked Dec 14, 2015 at 7:12 Yada RahallYada Rahall 2395 silver badges14 bronze badges 4- Hi! Wele to stackoverflow! I've edited your question, you should put the code in your question, instead of in an external link :D – Zorgatone Commented Dec 14, 2015 at 7:16
- It's not really vulnerable to XSS because nobody can enter text and click the button apart from the user. It's a sort of "self XSS" I guess, but then they could do that via developer tools. – SilverlightFox Commented Dec 14, 2015 at 17:15
- Yes, it is not vulnerable to Stored XSS, but Self XSS. But as a developer, we also need to prevent that too :) @SilverlightFox – Yada Rahall Commented Dec 15, 2015 at 6:33
- Yes, it's always good to properly encode for functional reasons too - many fewer bugs that way. – SilverlightFox Commented Dec 15, 2015 at 9:40
3 Answers
Reset to default 6You can HTML-encode the input to make it XSS-safe. Add function:
function escapeInput(input) {
return String(input)
.replace(/&/g, '&')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/</g, '<')
.replace(/>/g, '>');
}
And encode user input:
<script>
function write_name(){
var wele_parra = document.getElementById('wele');
var name = document.getElementById('name');
wele_parra.innerHTML = "wele " + escapeInput(name.value);
}
</script>
You could try the following:
function checkInput(string) {
var regex = /^[^0-9*\\\^\/<>_#']+$/;
if(regex.test(string)) {
return true;
} else {
return false;
}
}
This way you would find out whether letters are used for XSS Attacks and then, just dont send the form
Instead of the above I also use this function for the validation of forms :
checkField:function(string, type) {
var regex;
switch (type) {
case "number":
regex = /^[\d]+$/;
break;
case "string":
regex = /^[^0-9*\\\^\/<>_#']+$/;
break;
case "email":
regex = /^([a-zA-Z0-9_.+-])+\@(([a-zA-Z0-9-])+\.)+([a-zA-Z0-9]{2,7})+$/;
break;
}
if (regex.test(string)) {
return true;
}
return false;
},
where you can add as many cases as u want and need to. I hope this could help you in any way
But to be 100% safe of xss attacks you have to validate the form on the server , therefore I follow 2 simple rules:
Rule Number One: Never use form data´s unchecked
Rule Number Two: Never use form data´s without replacing script or code relevant pieces like <%>/\ and so on
Since I could simple copy your form and send it to the exact address, I would bypass a client side check / validation but for your case, since you dont send the Form to somewhere else, the preventing for entering code should be enough
UPDATE:
Javascript piles some fancy xss attacks on brainfuck base, just for instance
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+!+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
which will give out 1 in alert window...
Those used letters should be checked aswell
It's very easy, just assign to innerText instead of innerHtml.
wele_parra.innerText = "wele " + name.value;
本文标签: javascriptHow to prevent XSS in the following codeStack Overflow
版权声明:本文标题:javascript - How to prevent XSS in the following code? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742048388a2417928.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论