Is <span style=…> safe for sanitize?

对着背影说爱祢 提交于 2019-12-21 05:04:29

问题


I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users.

Many of the attributes CKEditor can control are being lost when I display them as:

<%= sanitize(profile.body) %>

My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about!


回答1:


is it safe to allow the attribute 'style' to be parsed?

No.

background-image: url(javascript:[code]);
width: expression([code]);                  /* ie */
behavior: url([link to code]);              /* ie */
-moz-binding: url([link to code]);          /* ff */

Not to mention UI-spoofing attacks like positioning a false login form over a real one or something.



来源:https://stackoverflow.com/questions/5371648/is-span-style-safe-for-sanitize

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!