我正在使用twig来显示用户提供的链接,即:
<a href="{{ project.link }}">...</a>
并尝试确保其对XSS的安全性。我假设内置过滤器的Twigs可以解决这个问题,但似乎没有。例如,如果数据源是:
`javascript:alert("hello")`
以下过滤器失败:
<a href="{{ project.link|escape('html_attr') }}">...</a>
<a href="{{ project.link|escape('url') }}">...</a>
第一个仍允许javascript触发,第二个,如果传递完整的URL使其成为无效链接(即。http://www.google.com)。
是否有一个twig内置方法来正确清理用于href属性的数据?
答案 0 :(得分:0)
如果使用的是树枝3.x,则可以根据情况使用escape('html'),escape('url')或escape('js')。
<p>{{ text|escape('html')}}</p>
<a href="{{ link|escape('url') }}" onclick="console.log('{{ jsCode|escape('js') }}');">a link</a>
<script>
console.log('{{ jsCode|escape('js') }}');
</script>
请注意,您可以使用较短的语法e('html'),e('url')或e('js')。
答案 1 :(得分:0)
我正在寻找相同的解决方案,但找不到。 Twig擅长阻止特定的HTML标签(例如object标签),因此我编写了一个潜在的javascript事件列表,如果用户将它们注入到段落标签或链接标签中,它们可能会被滥用。
使用类(或函数!),可以循环浏览用户提交的内容并将其删除。这不是一个详尽的清单,我敢肯定,这里还有其他攻击途径,但这应该是一个起点。
$badJSArray = [
"javascript:", "content:url", "data:text", "-o-link:", "xmlns:xlink", "xlink:href", "data:image", "formaction", "onfocus", "autofocus", "onblur", "onscroll", "onforminput", "onformchange", "onerror", "oninput", "onload", "onclick", "onchange", "onmouseover", "onmouseout", "onmousedown", "onmouseup", "onbeforescriptexecute", "onresize", "onactivate", "animationstart", "animationiteration", "animationend", "transitionstart", "transitionend", "ontoggle", "onratechange", "onreadystatechange", "onfilterchange", "allowscriptaccess", "onpropertychange", "onpageshow", "onunload", "ondragstart", "ondragend", "ondrag", "ondragenter", "ondragover", "ondragleave", "ondrop", "onabort", "onemptied", "onstalled", "onsuspend", "onafterprint", "onbeforeprint", "onbeforeunload", "oncanplay", "onloadstart", "ondurationchange", "onloadedmetadata", "onloadeddata", "onprogress", "oncanplaythrough", "oncontextmenu", "oncopy", "oncut", "ondblclick", "onended", "onfocusin", "onfocusout", "fullscreenchange", "fullscreenerror", "onhashchange", "oninvalid", "onkeydown", "onkeypress", "onkeyup", "onmessage", "onopen", "onmouseenter", "onmouseleave", "onmousemove", "onoffline", "ononline", "onpagehide", "onpaste", "onpause", "onplay", "onplaying", "onprogress", "onreset", "onsearch", "onseeked", "onseeking", "onselect", "onshow", "onsubmit", "ontimeupdate", "ontouchcancel", "ontouchend", "ontouchmove", "touchcancel", "ontouchstart", "onvolumechange", "onwaiting", "onwheel"
];
class CleanXSS {
function js($value) {
global $badJSArray;
return str_ireplace($badJSArray, "data-inert", $value);
}
}
$CleanXSS = new CleanXSS();
echo $CleanXSS->js("<p onclick='alert(1)'>Hello World!</p>");
// Or create a simple function
function CleanXSS($value) {
global $badJSArray;
return str_ireplace($badJSArray, "data-inert", $value);
}
echo CleanXSS("<p onclick='alert(1)'>Hello World!</p>");
// Create a Twig filter to use in the templates
$CleanXSSFilter = new \Twig\TwigFilter('CleanXSS', function ($value) {
global $badJSArray;
return str_ireplace($badJSArray, "data-inert", $value);
});
// Add filter to the global twig variable list
$twig->addFilter($CleanXSSFilter);
在树枝文件中使用此示例
<div class="col-lg-8 team-profiles">
{{ team.page_content|CleanXSS|striptags('<p><b><i><a>')|raw}}
</div><!-- end column -->
我从以下两个资源中收集了此列表:
https://www.w3schools.com/jsref/dom_obj_event.asp
希望这对您的项目有所帮助!
一种简单的方法是设置CORS策略元标记以防止内联JS触发!轻松自在!
<meta http-equiv="Content-Security-Policy" content="default-src https:">
答案 2 :(得分:-1)
使用escape功能。
转义过滤器也可以在HTML以外的其他环境中使用 到可选参数,它定义了要使用的转义策略:
示例:
{{ 'https://stackoverflow.com/questions/44161675/xss-attribute-protection-with-symfony2-twig<script>alert(1)</script>' | e('html') }}