xss : 跨站脚本攻击 cross-site scripting
#rails3之后对于输入框中输入的特殊字符默认进行转义
<%= text_field_tag "name" %> #输入<script>alert("just test")</script>，<script>会被转义成为 &lt;script&gt;
因为对<script>中的特殊字符进行了转义，因此<script>alert("just test")</script>不会被执行
上面的代码查看浏览器源码为&lt;script&gt，前端界面查看为<script>，数据库中的数据为输入数据。

#使用raw或者html_safe消除rails对输入值的默认转义,适合在后台对用户足够信任
("<strong>safe</strong>").html_safe
raw("<strong>safe</strong>")
上面的代码查看浏览器源码为<strong>safe</strong>,前端界面为加粗的safe字符串，数据库中的数据为输入数据。

#对存在用户输入框的界面中，使用sanitize()方法可以选择性的对用户输入信息进行转义，适合普通用户输入界面
sanitize("<strong>safe</strong>")
#允许的标签和属性如下
rails c: ActionView::Base.sanitized_allowed_tags
=><Set: {"strong", "em", "b", "i", "p", "code", "pre", "tt", "samp", "kbd", "var", "sub", "sup", "dfn", "cite", "big", "small", "address", "hr", "br", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li", "dl", "dt", "dd", "abbr", "acronym", "a", "img", "blockquote", "del", "ins"}>
rails c: ActionView::Base.sanitized_allowed_attributes
=><Set: {"href", "src", "width", "height", "alt", "cite", "datetime", "title", "class", "name", "xml:lang", "abbr"}>
#需要增加标签和属性config/application.rb，制作白名单
config.action_view.sanitized_allowed_tags = %w[table tr td] #必须为数组形式
config.action_view.sanitized_allowed_attributes = %w[rel]

#xss
没有转义的情况下，即使用raw或者html_safe
<script>alert(document.cookie)</script> #输入框中获得如下代码，获得当前的cookie
xss

results matching ""

No results matching ""
