什么是“逃跑"?&“未逃脱"输出

2022-01-24 00:00:00 node.js javascript coffeescript

我不熟悉 Javascript

I'm not familiar with Javascript

学习模板node.js模板引擎,它有转义"&未转义"输出

Learning template node.js template engine, it has "Escaped" & "Unescaped" output

什么是逃跑"&未转义"的输出?

What actually is "Escaped" & "Unescaped" output?

是否像包含一次"&包括"?

Is it like "include once" & "include"?

(谷歌没有给出任何结果)

(Google giving no result about this)

推荐答案

转义和取消转义有助于防止 跨站脚本 (XSS) 攻击.它是常见的网络攻击之一,因为如果网站设计不周密,很容易创建攻击向量.它在 OWASP 2013 年十大漏洞中排名 第 3 位一个>.

Escaping and unescaping are useful to prevent Cross Site Scripting (XSS) attack. It is one of the common web attacks, since it will be easy to create an attack vector if the site is not designed carefully. Its ranked number 3 in the OWASP's Top 10 vulnerabilities of 2013.

主要目的是不让浏览器以不同于预期的方式执行或解释 HTTP 响应.

The main intention is to, NOT to let the browser execute or interpret the HTTP response in a different way than intended.

例如,假设您有一个网页接受用户输入他的地址,并且您希望用户在下一页确认它.因此,您将获取用户输入的地址并将其显示在下一页中.如果用户输入一个有效的地址,那将不会有问题.如果用户输入这样的内容会怎样

For example, lets say you have a web page which accepts the user to enter his address and you want the user to confirm it in the next page. So, you are getting the address entered by the user and displaying it in the next page. If the user enters a valid address, it will not be a problem. What if the user enters something like this

<script>
    alert("Welcome");
</script>

您的下一页将简单地生成一个提示框,提示 Welcome.现在,考虑这种情况.您正在编写一个博客应用程序,用户在提供的文本框中输入上述脚本.您将把它存储在数据库中,任何想要查看您的博客的人都会看到该警报框.最糟糕的是,如果攻击者将其置于无限循环中,那么访问该博客的人将根本无法阅读内容.

Your next page will simply produce an alert box saying Welcome. Now, consider this case. You are writing a blogging application, and the user enters the above seen script in the text box provided. You ll be storing it in DB and whoever wants to see your blog will get to see that alert box. Worst thing is, if the attacker puts that in an infinite loop, whoever visits that blog will not be able to read the content at all.

这只是基本攻击之一,如果你不转义文本,这是可能的.

This is just one of the basic attacks, which is possible if you don't escape the text.

因此,通常情况下,用户输入的文本将被转义,然后存储在 DB 中.例如上面看到的攻击向量(脚本标签的东西)会变成这样,在 HTML 转义

So, normally, the text user entered will be escaped and then stored in DB. For example, the above seen attack vector (the script tag thing) will become like this, after HTML escaping

&lt;script&gt;<br/>        alert(&quot;Welcome&quot;);<br/>&lt;/script&gt;

现在,浏览器不会将其视为脚本元素而是 HTML 元素,因此会将其显示为

Now, browser will not consider this as a script element but a HTML element, so it will display it as

<script>
    alert("Welcome");
</script>

而不是执行它.

相关文章