问题描述
我正在尝试确定 Play 框架如何支持转义.
I'm trying to map out how the Play framework supports escaping.
这是一个很好的页面,详细说明了所需的功能:https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
This is a nice page spelling out the needed functionality: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
所以我试图将其与 Play 模板功能联系起来,并充分了解 Play 的功能和不具备的功能.
So I'm trying to relate that to Play template features and fully understand what Play does and doesn't do.
- HTML 转义:
${}或escape()函数 - 属性转义:我找不到内置解决方案
- JavaScript 转义:有一个
escapeJavaScript()http://www.playframework.org/documentation/1.2/javaextensions - CSS 转义:我找不到内置解决方案
- URL 转义:没有什么特别的内置,但通常的 Java 解决方案,例如Java 等同于 JavaScript 的 encodeURIComponent 产生相同的输出?- 更新:在 http://www.playframework.org/documentation/1.2/有 urlEncode()java扩展
- HTML escaping:
${}or theescape()function - Attribute escaping: I can't find a built-in solution
- JavaScript escaping: there's an
escapeJavaScript()http://www.playframework.org/documentation/1.2/javaextensions - CSS escaping: I can't find a built-in solution
- URL escaping: nothing special built-in, but usual Java solution e.g. Java equivalent to JavaScript's encodeURIComponent that produces identical output? - Update: there's urlEncode() at http://www.playframework.org/documentation/1.2/javaextensions
另一个混淆点是对 index.json 的支持(即使用模板来构建 JSON 而不是 HTML).${} 是否会神奇地切换到 JSON 文档中的 JavaScript 转义,还是仍然会转义 HTML,因此 JSON 模板中的所有内容都必须具有显式的 escapeJavaScript()?
Another point of confusion is the support for index.json (i.e. using templates to build JSON instead of HTML). Does ${} magically switch to JavaScript escaping in a JSON document, or does it still escape HTML, so everything in a JSON template has to have an explicit escapeJavaScript()?
在 http://www.playframework.org/documentation/上还有一个 addSlashes()1.2/javaextensions ,但它似乎不太适合我能想到的任何情况.(?)
There's also an addSlashes() on http://www.playframework.org/documentation/1.2/javaextensions , but it doesn't seem quite right for any of the situations I can think of. (?)
如果能有一份关于如何在 Play 中完成所有逃生风格的详尽指南,那就太好了.在我看来,在几种情况下答案是自己动手",但也许我错过了其中的内容.
It would be great to have a thorough guide on how to do all the flavors of escaping in Play. It looks to me like the answer is "roll your own" in several cases but maybe I'm missing what's included.
推荐答案
我一直在研究这个,所以决定根据你已经拥有的内容写出我自己的答案,这个 OWASP 备忘单 和我自己的一些实验
I've been looking into this so decided to write up my own answer based on what you already had, this OWASP cheat sheet and some experimentation of my own
HTML 转义:
- ${} 或 escape() 函数
属性转义:(常用属性)
- 只要您将属性用双引号 (") 括起来并使用 ${},就会处理此问题.
- 对于复杂的属性(href/src/etc.),请参阅下面的 JavaScript
- 不安全代码示例
...<a id='${data.value}' href="...">...</a>
% href=javascript:alert('XSS')%' href=javascript:alert(window.location)
JavaScript 转义:(和复杂属性)
- 使用escapeJavaScript().http://www.playframework.org/documentation/1.2/javaextensions
- 不安全代码示例
<a onmouseover="x='${data.value}'; ..." href="...">...</a>
- ';javascript:alert(window.location);//
CSS 转义:
- 不确定,因为我不需要这个.
- 我想你需要以某种方式创建自己的.希望有什么东西可以为您操纵字符串.
网址转义:
这篇关于在 Play 框架中正确转义的指南的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!