使用经典ASP构建“退出”页面，避免主要的跨站点脚本陷阱

I'm working on updating a classic ASP web page used by a number of sub-sites maintained at the company I work for.

我正在努力更新我工作的公司维护的许多子站点使用的经典ASP网页。

The purpose of the page is to notify the user that they are leaving "our" site and going to another site. It's basically a disclaimer, but due to resource limitations and time limitations I can't add the disclaimer to every site we manage.

该页面的目的是通知用户他们正在离开“我们的”站点并转到另一个站点。它基本上是免责声明,但由于资源限制和时间限制,我无法将免责声明添加到我们管理的每个站点。

This is the crux of the problem. The current code pulls a variable from the query string to create the "continue" link in the new window. This obviously creates many problems in the form of cross site scripting.

这是问题的症结所在。当前代码从查询字符串中提取变量,以在新窗口中创建“继续”链接。这显然会以跨站点脚本的形式产生许多问题。

How do I approach this update to eliminate most (if not all) of the cross site scripting issues using vbScript/ASP.

如何使用vbScript / ASP处理此更新以消除大多数(如果不是全部)跨站点脚本问题。

The code I'm using is below.

我正在使用的代码如下。

<%@ Language = vbScript %>
<% Option Explicit %>

<%
Dim strLink
strLink = Request.QueryString("site")
strLink = Replace(strLink, "<", "&lt")
strLink = Replace(strLink, ">", "&gt;")
strLink = Replace(strLink, chr(34), "")
strLink = Replace(strLink, "script", "", 1, -1, 1)
strLink = Replace(strLink, "onclick", "", 1, -1, 1)
strLink = Replace(strLink, "ondblclick", "", 1, -1, 1)
strLink = Replace(strLink, "onmousedown", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseover", "", 1, -1, 1)
strLink = Replace(strLink, "onmousemove", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseout", "", 1, -1, 1)
strLink = Replace(strLink, "onkeypress", "", 1, -1, 1)
strLink = Replace(strLink, "onkeydown", "", 1, -1, 1)
strLink = Replace(strLink, "onkeyup", "", 1, -1, 1)
strLink = Replace(strLink, "onfocus", "", 1, -1, 1)
strLink = Replace(strLink, "onblur", "", 1, -1, 1)
strLink = Replace(strLink, "&&", "")
strLink = Replace(strLink, "##", "")
strLink = Replace(strLink, "&#", "")
%>

<a href="<%= strLink %>">Continue</a>

3 个解决方案

#1

This is what I recommend for HTML sanitizing -

这是我推荐用于HTML清理的 -

HTML Whitelist is the latest in the "cool little Python Web service thrown up on App Engine" by my good colleague DeWitt Clinton.

HTML Whitelist是我的好同事DeWitt Clinton在“App Engine上推出的酷小Python Web服务”中的最新成员。

It does one thing, and it does it well. You can pass the service HTML and it will return a sanitized version.

它做了一件事,它做得很好。您可以传递服务HTML,它将返回一个已清理的版本。

http://html-whitelist.appspot.com/

#2

You need to implement an approach that follows the concept of "Positive Security Model". You should parse the "site" variable and make sure it conforms explicitly to what is allowed, rather than write something that looks for what should be disallowed. This will make your approach much more resilient to attacks, especially unanticipated ones.

您需要实现遵循“积极安全模型”概念的方法。您应该解析“site”变量并确保它明确地符合允许的内容,而不是编写一些查找应该禁止的内容。这将使您的方法对攻击更具弹性,尤其是未预料到的攻击。

I suggest writing a regex (or ask how to write such a regex on *).

我建议编写一个正则表达式(或者询问如何在*上编写这样的正则表达式)。

Also, while the web service posted by Michael is pretty cool, you should evaluate if it is acceptable or not to take a dependency on such a thing.

此外,尽管Michael发布的Web服务非常酷,但您应该评估是否可以接受这样的事情。

#3

You could add logic to continue page to ensure that it is only called by a page on one of your sites either based on url or IP address. You could also pass a time and hashed code through for added security.

您可以添加逻辑以继续页面,以确保它仅由您的某个站点上的页面基于URL或IP地址调用。您还可以通过时间和散列代码来增加安全性。

#1