防止XSS的节点。js /服务器端javascript

时间:2021-09-05 15:54:52

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

知道如何防止对节点的XSS攻击吗?js应用?任何处理在hrefs、onclick属性等中删除javascript的lib。从公布的数据吗?

I don't want to have to write a regex for all that :)

我不想为所有这些写一个regex:)

Any suggestions?

有什么建议吗?

7 个解决方案

#1

19  

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

在客户端对HTML进行清理/重写的一个解决方案是,从谷歌Caja的JS中借用基于whitelist的HTML sanitizer,我可以从一个快速的scrollthrough中看出,在不依赖浏览器的DOM的情况下实现一个HTML SAX解析器。

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

更新:另外,请记住,Caja杀毒软件显然已经得到了全面的、专业的安全审查,而regexes则以很容易在安全方面出错而闻名。

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

更新2017-09-24:现在也有DOMPurify了。我还没有使用过它,但它似乎满足或超过了我所寻找的每一点:

  • Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

    尽可能依赖运行时环境提供的功能。(这对性能和安全性都很重要,要尽可能地依赖经过良好测试的成熟实现。)

    • Relies on either a browser's DOM or jsdom for Node.JS.
    • Node.JS依赖浏览器的DOM或jsdom。

  • Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

    在保证删除javascript的同时,尽可能少地删除默认配置。

    • Supports HTML, MathML, and SVG
    • 支持HTML、MathML和SVG
    • Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.
    • 回到微软在IE8和IE9下的私有的、不可配置的toStaticHTML。

  • Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

    高度可配置,使其适合对可以包含任意HTML的输入进行限制,如WYSIWYG或Markdown注释字段。(事实上,它是这堆东西的顶部)

    • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
    • 支持通常的标签/属性whitelisting/blacklisting和URL regex whitelisting
    • Has special options to sanitize further for certain common types of HTML template metacharacters.
    • 有特殊的选项可以对某些常见类型的HTML模板元字符进行进一步的清理。

  • They're serious about compatibility and reliability

    他们非常重视兼容性和可靠性

    • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
    • 在16个不同浏览器上运行的自动测试,以及Node.JS的三个不同的主要版本。
    • To ensure developers and CI hosts are all on the same page, lock files are published.
    • 为了确保开发人员和CI主机都在同一个页面上,会发布锁文件。

#2

53  

I've created a module that bundles the Caja HTML Sanitizer

我创建了一个包含Caja HTML杀毒软件的模块

npm install sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

https://www.npmjs.com/package/sanitizer

https://www.npmjs.com/package/sanitizer

Any feedback appreciated.

任何反馈赞赏。

#3

16  

All usual techniques apply to node.js output as well, which means:

所有常用的技术都适用于节点。输出js,也就是说:

  • Blacklists will not work.
  • 黑名单不会工作。
  • You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
  • 不应该为了保护HTML输出而过滤输入。通过不必要地扭曲数据,它不会工作,也不会工作。
  • You're supposed to HTML-escape text in HTML output.
  • 您应该在HTML输出中使用HTML-escape文本。

I'm not sure if node.js comes with some built-in for this, but something like that should do the job:

我不确定是否结点。js有一些内置的功能,但是类似的功能应该可以实现:

function htmlEscape(text) {
   return text.replace(/&/g, '&').
     replace(/</g, '&lt;').  // it's not neccessary to escape >
     replace(/"/g, '&quot;').
     replace(/'/g, '&#039;');
}

#4

15  

I recently discovered node-validator by chriso.

我最近发现了chriso的node-validator。

Example

get('/', function (req, res) {

  //Sanitize user input
  req.sanitize('textarea').xss(); // No longer supported
  req.sanitize('foo').toBoolean();

});

XSS Function Deprecation

The XSS function is no longer available in this library.

这个库中不再提供XSS函数。

https://github.com/chriso/validator.js#deprecations

https://github.com/chriso/validator.js的用法

#5

5  

You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.

您还可以查看ESAPI。有一个javascript版本的库。它很坚固。

#6

3  

In newer versions of validator module you can use the following script to prevent XSS attack:

在新版本的validator模块中,您可以使用以下脚本防止XSS攻击:

  var validator = require('validator');

  var escaped_string = validator.escape(someString);

#7

1  

Try out the npm module strip-js. It performs the following actions:

尝试npm模块strip-js。它执行以下操作:

  • Sanitizes HTML
  • 清理HTML
  • Removes script tags
  • 删除脚本标记
  • Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
  • 删除包含JavaScript代码的“onclick”、“onerror”等属性
  • Removes "href" attributes which contain JavaScript code
  • 删除包含JavaScript代码的“href”属性。

https://www.npmjs.com/package/strip-js

https://www.npmjs.com/package/strip-js

#1

19  

One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.

在客户端对HTML进行清理/重写的一个解决方案是,从谷歌Caja的JS中借用基于whitelist的HTML sanitizer,我可以从一个快速的scrollthrough中看出,在不依赖浏览器的DOM的情况下实现一个HTML SAX解析器。

Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.

更新:另外,请记住,Caja杀毒软件显然已经得到了全面的、专业的安全审查,而regexes则以很容易在安全方面出错而闻名。

Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:

更新2017-09-24:现在也有DOMPurify了。我还没有使用过它,但它似乎满足或超过了我所寻找的每一点:

  • Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)

    尽可能依赖运行时环境提供的功能。(这对性能和安全性都很重要,要尽可能地依赖经过良好测试的成熟实现。)

    • Relies on either a browser's DOM or jsdom for Node.JS.
    • Node.JS依赖浏览器的DOM或jsdom。

  • Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.

    在保证删除javascript的同时,尽可能少地删除默认配置。

    • Supports HTML, MathML, and SVG
    • 支持HTML、MathML和SVG
    • Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.
    • 回到微软在IE8和IE9下的私有的、不可配置的toStaticHTML。

  • Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)

    高度可配置,使其适合对可以包含任意HTML的输入进行限制,如WYSIWYG或Markdown注释字段。(事实上,它是这堆东西的顶部)

    • Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
    • 支持通常的标签/属性whitelisting/blacklisting和URL regex whitelisting
    • Has special options to sanitize further for certain common types of HTML template metacharacters.
    • 有特殊的选项可以对某些常见类型的HTML模板元字符进行进一步的清理。

  • They're serious about compatibility and reliability

    他们非常重视兼容性和可靠性

    • Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
    • 在16个不同浏览器上运行的自动测试,以及Node.JS的三个不同的主要版本。
    • To ensure developers and CI hosts are all on the same page, lock files are published.
    • 为了确保开发人员和CI主机都在同一个页面上,会发布锁文件。

#2

53  

I've created a module that bundles the Caja HTML Sanitizer

我创建了一个包含Caja HTML杀毒软件的模块

npm install sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

https://www.npmjs.com/package/sanitizer

https://www.npmjs.com/package/sanitizer

Any feedback appreciated.

任何反馈赞赏。

#3

16  

All usual techniques apply to node.js output as well, which means:

所有常用的技术都适用于节点。输出js,也就是说:

  • Blacklists will not work.
  • 黑名单不会工作。
  • You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
  • 不应该为了保护HTML输出而过滤输入。通过不必要地扭曲数据,它不会工作,也不会工作。
  • You're supposed to HTML-escape text in HTML output.
  • 您应该在HTML输出中使用HTML-escape文本。

I'm not sure if node.js comes with some built-in for this, but something like that should do the job:

我不确定是否结点。js有一些内置的功能,但是类似的功能应该可以实现:

function htmlEscape(text) {
   return text.replace(/&/g, '&amp;').
     replace(/</g, '&lt;').  // it's not neccessary to escape >
     replace(/"/g, '&quot;').
     replace(/'/g, '&#039;');
}

#4

15  

I recently discovered node-validator by chriso.

我最近发现了chriso的node-validator。

Example

get('/', function (req, res) {

  //Sanitize user input
  req.sanitize('textarea').xss(); // No longer supported
  req.sanitize('foo').toBoolean();

});

XSS Function Deprecation

The XSS function is no longer available in this library.

这个库中不再提供XSS函数。

https://github.com/chriso/validator.js#deprecations

https://github.com/chriso/validator.js的用法

#5

5  

You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.

您还可以查看ESAPI。有一个javascript版本的库。它很坚固。

#6

3  

In newer versions of validator module you can use the following script to prevent XSS attack:

在新版本的validator模块中,您可以使用以下脚本防止XSS攻击:

  var validator = require('validator');

  var escaped_string = validator.escape(someString);

#7

1  

Try out the npm module strip-js. It performs the following actions:

尝试npm模块strip-js。它执行以下操作:

  • Sanitizes HTML
  • 清理HTML
  • Removes script tags
  • 删除脚本标记
  • Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
  • 删除包含JavaScript代码的“onclick”、“onerror”等属性
  • Removes "href" attributes which contain JavaScript code
  • 删除包含JavaScript代码的“href”属性。

https://www.npmjs.com/package/strip-js

https://www.npmjs.com/package/strip-js

标签:

相关文章