您的位置: 首页  >  技术问答  >  什么是“逃脱” &安培; "未逸出"产量

什么是“逃脱” &安培; "未逸出"产量

分类: 技术问答 2022-04-16 11:10:54
问题描述:

我不熟悉Javascript

I'm not familiar with Javascript

学习模板node.js模板引擎,它有Escaped& 非转义输出

Learning template node.js template engine, it has "Escaped" & "Unescaped" output

实际上是什么逃脱& 未转义输出?

What actually is "Escaped" & "Unescaped" output?

是否像包含一次& 包含?

Is it like "include once" & "include"?

(Google没有给出相关结果)

(Google giving no result about this)

转义和转义有助于防止 跨站点脚本 (XSS)攻击。这是常见的网络攻击之一,因为如果网站设计不仔细,很容易创建攻击媒介。它在2013年OWASP十大漏洞中排名 排名第3位

Escaping and unescaping are useful to prevent Cross Site Scripting (XSS) attack. It is one of the common web attacks, since it will be easy to create an attack vector if the site is not designed carefully. Its ranked number 3 in the OWASP's Top 10 vulnerabilities of 2013.

主要目的是让 NOT 让浏览器执行或解释HTTP响应与预期不同的方式。

The main intention is to, NOT to let the browser execute or interpret the HTTP response in a different way than intended.

例如,假设您有一个网页接受用户输入他的地址,您希望用户在下一页确认。因此,您将获得用户输入的地址并将其显示在下一页中。如果用户输入有效地址,则不会出现问题。如果用户输入类似的内容

For example, lets say you have a web page which accepts the user to enter his address and you want the user to confirm it in the next page. So, you are getting the address entered by the user and displaying it in the next page. If the user enters a valid address, it will not be a problem. What if the user enters something like this

<script>
    alert("Welcome");
</script>

您的下一页只会生成一个警告框,上面写着欢迎。现在,考虑这种情况。您正在编写博客应用程序,用户在提供的文本框中输入上面显示的脚本。您将把它存储在数据库中,任何想要看到您的博客的人都可以看到该警报框。最糟糕的是,如果攻击者将其置于无限循环中,那么访问该博客的人将根本无法阅读该内容。

Your next page will simply produce an alert box saying Welcome. Now, consider this case. You are writing a blogging application, and the user enters the above seen script in the text box provided. You ll be storing it in DB and whoever wants to see your blog will get to see that alert box. Worst thing is, if the attacker puts that in an infinite loop, whoever visits that blog will not be able to read the content at all.

这只是一种基本的攻击,如果你不逃避文本,这是可能的。

This is just one of the basic attacks, which is possible if you don't escape the text.

因此,通常,输入的文本用户将被转义然后存储在DB中。例如,在 HTML转义

So, normally, the text user entered will be escaped and then stored in DB. For example, the above seen attack vector (the script tag thing) will become like this, after HTML escaping

&lt;script&gt;<br/>        alert(&quot;Welcome&quot;);<br/>&lt;/script&gt;

现在,浏览器不会将此视为脚本元素而是HTML元素,因此它会显示它as

Now, browser will not consider this as a script element but a HTML element, so it will display it as 

<script>
    alert("Welcome");
</script>

而不是执行它。

相关推荐