我应该过滤或清理潜在的XSS输入值,还是只抛出异常

时间:2022-05-30 20:11:18

I've seen many articles and questions on SO regarding filtering and sanitizing web form input values for potential XSS issues.

我已经看过很多关于SO的文章和问题,关于过滤和消毒潜在XSS问题的Web表单输入值。

My question... If we detect XSS issues in the data then shouldn't we be throwing an exception and not allowing the request to progress any further, rather than filtering or sanitizing it?

我的问题......如果我们在数据中检测到XSS问题,那么我们不应该抛出异常而不允许请求进一步发展,而不是过滤或消毒它吗?

1 个解决方案

#1


0  

Depends on the kind of data you expects, but in any case it is good to track in some log that someone have tried a XSS attack or any other.

取决于您期望的数据类型,但无论如何,在某些日志中跟踪某人尝试过X​​SS攻击或任何其他攻击是很好的。

One more good practices is to implement an alert launched when someone tries a XSS attack. In case you have a lot of traffic you could generate a report daily with all the information about the attacks detected during the day.

另一个好的做法是在有人尝试XSS攻击时实施警报。如果您有大量流量,您可以每天生成一份报告,其中包含有关当天检测到的攻击的所有信息。

After you track this information, if you throw and exception or sanitize the data depends on you, this few questions could help you:

跟踪此信息后,如果您抛出异常或清理数据取决于您,这几个问题可以帮助您:

  • It is relevant for you the information the user tries to submit?
  • 它与您的用户尝试提交的信息相关吗?
  • Are you interested in let it know you have blocked its XSS attack?
  • 您是否有兴趣让它知道您已阻止其XSS攻击?
  • Are you interested in let it be in web site after detect it as a potential attacker?
  • 在将其识别为潜在攻击者后,您是否有兴趣将其置于网站中?

#1


0  

Depends on the kind of data you expects, but in any case it is good to track in some log that someone have tried a XSS attack or any other.

取决于您期望的数据类型,但无论如何,在某些日志中跟踪某人尝试过X​​SS攻击或任何其他攻击是很好的。

One more good practices is to implement an alert launched when someone tries a XSS attack. In case you have a lot of traffic you could generate a report daily with all the information about the attacks detected during the day.

另一个好的做法是在有人尝试XSS攻击时实施警报。如果您有大量流量,您可以每天生成一份报告,其中包含有关当天检测到的攻击的所有信息。

After you track this information, if you throw and exception or sanitize the data depends on you, this few questions could help you:

跟踪此信息后,如果您抛出异常或清理数据取决于您,这几个问题可以帮助您:

  • It is relevant for you the information the user tries to submit?
  • 它与您的用户尝试提交的信息相关吗?
  • Are you interested in let it know you have blocked its XSS attack?
  • 您是否有兴趣让它知道您已阻止其XSS攻击?
  • Are you interested in let it be in web site after detect it as a potential attacker?
  • 在将其识别为潜在攻击者后,您是否有兴趣将其置于网站中?