The emergence and prevention of XSS vulnerabilities

Situation

To put it simply, when the source code is output using template variables, the URLs, html, and js that should be escaped are ignored. If the value of the variable contains a special format or the attacker constructs a special format manually, it will appear.

If these template variables are:

1. url escape not performed ①

Example:

Common scenarios of template Variables	Source code
Within the hred attribute of tag	<A href = "http:/mysite.com/?##vars=#"> </a>
In the src attribute of tags such as iframe, img, script, and link
JavaScript code is used as a url variable.	Var url = 'HTTP: // mysite.com/?##vars= }}'

 

2. html Escape not performed: ②

Example:

Common scenarios of template Variables	Source code
Title label	<Title> personal center of {$ user} </title>
Input value	<Input value = "{$ user}"/>

 

3. unescaped js variables: ③

Example:

Common scenarios of template Variables	Source code
Js variables in the page inline script label	Var a = '{{$ }}'
Level 0 events of dom elements in the page	<Div onclick = "someFunction ({{$ param})">
In the template used for Asynchronization	{{$ Callback }{{{ $ obj }}}

 

4. html escaping for advanced features and js escaping for later use: ④

Example:

Common scenarios of template Variables	Source code
Insert the js statement in the script label to the page.	Dom. innerHTML = "{{$ vars}"; or Document. write ("{{$ vars }}")

 

5. Javascript escaping requires advanced features and html escaping: ⑤

Example:

Common scenarios of template Variables	Source code
Parameter of the method in the event of dom Element Level 0 in the page	<Div onclick = "someFunction ({{$ param})">

 

Prevention Measures

According to the red mark above, we mainly adopt the following prevention measures:

Type	Smarty escape	Others
① Perform url escape	{$ Var | escape: "url "}}	Similar to encodeURIComponent in js, the overall escape Escape Character: escape! '()*-._~ All characters outside the 0-9 a-z A-Z are converted into their respective hexadecimal escape sequences, and Chinese characters have different results under different charsets.
② Html Escape	{$ Var | escape: "html "}}	Tangarm provides a method of baidu. string. encodeHTML using js escape. Internal variables are available when html templates are generated using js. Escape Character: the method provided by smarty is escaped by <> '". Generally, only the four characters can be escaped. The methods provided by tangram are also escaped by & characters, and a total of five characters are escaped.
③ Perform js escape	{$ Var | escape: "javascript "}}	Escape Character: '"/n r
④ Perform JavaScript escaping after html first	{$ Var | escape: "html" | escape: "javascript "}}	The character is actually escaped: "<" To "& lt ;" ">" To "& gt ;" Convert "'" to "'" "" To" "" To "\" "/" To "/" Convert "n" to "n" Convert "r" to "r"
⑤ Perform html escaping after js execution	{$ Var | escape: "javascript" | escape: "html "}}	The character is actually escaped: "<" To "& lt ;" ">" To "& gt ;" "&" To "& amp ;" "'" To "& #39 ;" "" To "& quot ;" "" To "\" "/" To "/" Convert "n" to "n" Convert "r" to "r"

 

Advanced

1. escape smarty by default: run $ smarty-> default_modifiers = array ('$' => 'escape: "html" ') before displaying the page "'); all the smarty variables starting with $ are escaped by default. to cancel the escape, use {$ var | smarty: nodefaults} for variables that do not need to be escaped }}

2 asynchronous operations in the same domain: Use ajax as much as possible, and use less insert script labels to reduce the xss vulnerability caused by the unescaped callback function name.

3. Ask the server to set the contentType of the hearer of Response to "application/javascript"