Sanitize all scripts from html string

本小妞迷上赌 提交于 2019-12-11 01:55:17

问题


The HTML5 clipboard is awesome, but I am looking for a way to make it safe.

The user is pasting text/html into my webpage. This allows them to paste images, tables, etc.

I am looking for a way to remove all scripts from the pasted content, before I add it to the page.

I need to remove <script> elements, as well as other ways of executing scripts like

<img src="x" onerror="alert('Hacked!')">

(and any others)

I do not want to remove style elements, or any other sorts of elements. (They are actually pasting into an iframe, so styles won't affect anything else.)


回答1:


You could use a sanitizer like Google Caja to remove malicious JavaScript - you could even use it to strip all JavaScript content if desired.

However, I question your goals. Is your aim to prevent self-XSS? Unless you output the HTML somewhere, there is no danger to the user. If you output the HTML to the same user and there are other methods of entering the content other than paste, then you should make sure you protect the page against CSRF. This would stop an attacker inserting their own malicious JavaScript under the authorisation of the current user.

If you output the HTML to other users, you may wish to sanitize the content server side. If HTML content isn't allowed at all then you should HTML encode when output so a <script> tag will display as <script> in the browser rather than being interpreted as a code block by the browser.

If you need to output HTML, but without scripts you should sanitize it server side and you should also implement a Content Security Policy. With the correct policy you can prevent inline scripts from running at all in modern browsers. The CSP will prevent any future bugs found in your chosen sanitizer from posing a threat to the user. Supported browsers are detailed here.

You mention that you want to support styles - note that CSS stylesheets can also contain code. This is an Internet Explorer supported concept (and old versions of FireFox). However, your CSP should prevent this if you disallow inline styles.




回答2:


If the user is uploading it for other's to view, you should use a PHP setup with a white list of approved tags, and prevent them from uploading JavaScript, otherwise they could edit it anyway and the script becomes useless. If they aren't uploading for others to see, you needn't do anything because they are only going to harm themselves.



来源:https://stackoverflow.com/questions/28301617/sanitize-all-scripts-from-html-string

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!