Der beste Weg, um Query-String-Parameter sicher lesen?

https://stackoverflow.com/questions/128028

02-07-2019
|

Frage

Wir haben ein Projekt, das ein Code-Snippet erzeugt, die auf verschiedenen anderen Projekten verwendet werden können. Der Zweck des Codes ist zwei Parameter aus dem Abfrage-String zu lesen und sie auf das „src“ -Attribut eines iframe zuweisen.

Zum Beispiel ist die Seite unter der URL http: //oursite/Page.aspx einer = 1 & b = 2 würde JavaScript darin die "a" und "b" Parameter zu lesen. Die JavaScript würde dann das „src“ -Attribut eines iframe auf diesen Parametern basieren. Zum Beispiel: " "</P> <P> Wir tun dies derzeit mit serverseitigen Code, Anti Cross-Scripting-Bibliothek von Microsoft verwendet die Parameter zu überprüfen. Allerdings hat eine neue Anforderung besagt kommen, dass wir JavaScript verwenden müssen, und dass es keine Drittanbieter-JavaScript-Tools (wie jQuery oder Prototype) verwenden kann. </P> <P> Ein Weg, den ich kenne, ist alle Instanzen von „<“, Apostroph zu ersetzen, und doppelten Anführungszeichen aus den Parametern, bevor Sie sie, aber das scheint nicht sicher genug für mich. </P> <P> Einer der Parameter ist immer ein „P“, gefolgt von 9 Zahlen. Der andere Parameter ist immer 15 alphanumerische Zeichen. (Danke Liam für die Annahme, ich mache das klar). </P> <P> Hat jemand irgendwelche Vorschläge für uns? </P> <P> Vielen Dank für Ihre Zeit. </P> </div> </div> </div> <div id="boxRight" class="tab-content col-xl-6"> <div id="boxSoluzioneDescrizione" class="boxArticolo"> <div class="row"> <div class="col-md-6"> <div class="row justify-content-start"> <div class="col-md-12"> <form id="feedback" action="/de/articolo/feedback" method="post"> <input type="hidden" name="_csrf" value="EuAvkSCa0bPt2y5-yWBCN-ZISZwcxqmF8f4meHP9MM0nsEulQdvg2K-eGx2dKCcCiRIz-DGi_OSWkH4fBpVhhA=="> <div class="hidden" style="display:none;"> <div class="form-group field-feedbackform-pagina required"> <input type="hidden" id="feedbackform-pagina" class="pagina" name="FeedbackForm[pagina]" value="/articolo/details"> <p class="help-block help-block-error"></p> </div> <div class="form-group field-feedbackform-idargomento"> <input type="hidden" id="feedbackform-idargomento" class="idArgomento" name="FeedbackForm[idArgomento]" value="38515"> <p class="help-block help-block-error"></p> </div> </div> <div> War es hilfreich? <div class="example-block text-center"> <label class="radio-inline" for="happy" style="font-size:1.5em;cursor:pointer;color:green;"> <i class="far fa-thumbs-up" title="This answer is useful"></i>   </label> <input type="radio" id="happy" class="voto input-hidden" name="FeedbackForm[voto]" value="10"> </div> <div class="example-block text-center"> <label class="radio-inline" for="sad" style="font-size:1.5em;cursor:pointer;color:red;"> <i class="far fa-thumbs-down" title="This answer is not useful"></i>   </label> <input type="radio" id="sad" class="voto input-hidden" name="FeedbackForm[voto]" value="0"> </div>  </div> <div class="row footer justify-content-between"> <div class="col"> <button type="button" class="btn btn-primary" data-dismiss="modal">einreichen</button> </div> </div> </form> </div> </div> </div> <div class="col-md-6"> </div> </div> <div class="row "> <div class="col-md-12"> <p class="title" style="background-color:green;"> <i class="far fa-thumbs-up"></i> Lösung </p> <div class="testo"> <p>Don't use escape and unescape, use decodeURIComponent. E.g. </p> <pre><code>function queryParameters(query) { var keyValuePairs = query.split(/[&?]/g); var params = {}; for (var i = 0, n = keyValuePairs.length; i < n; ++i) { var m = keyValuePairs[i].match(/^([^=]+)(?:=([\s\S]*))?/); if (m) { var key = decodeURIComponent(m[1]); (params[key] || (params[key] = [])).push(decodeURIComponent(m[2])); } } return params; } </code></pre> <p>and pass in document.location.search.</p> <p>As far as turning < into &lt;, that is not sufficient to make sure that the content can be safely injected into HTML without allowing script to run. Make sure you escape the following <, >, &, and ".</p> <p>It will not guarantee that the parameters were not spoofed. If you need to verify that one of your servers generated the URL, do a search on URL signing.</p> </div> </div> </div> </div> </div> </div> <div class="row mt-4 adv"> <div class="col-12 text-center"> <ins class="adsbygoogle" style="display:block; text-align:center;" data-ad-layout="in-article" data-ad-format="fluid" data-ad-client="ca-pub-5108424997424987" data-ad-slot="1879801491"></ins> <script defer async crossorigin="anonymous">(adsbygoogle=window.adsbygoogle||[]).push({});</script> </div> </div> <div class="row mt-4 adv"> <div class="col-12 text-center"> </div> </div> <div class="row mt-4"> <div class="col-12"> <div id="boxSoluzioniAvanzate" class="boxArticolo soluzioni"> <p class="title" style="background-color:black;"><i class="fas fa-file-alt"></i> Andere Tipps</p> <div class="testo"> <div id="alt292171" class="boxBorderTop row noMargin pt-4"> <div class="col-md-12 text-left"> <i class="far fa-newspaper fa-2x mb-2" style="display:block;color:gray;"></i> </div> <div class="col-md-12"> <p>Using a whitelist-approach would be better I guess. Avoid only stripping out "bad" things. Strip out anything except for what you think is "safe".</p> <p>Also I'd strongly encourage to do a HTMLEncode the Parameters. There should be plenty of Javascript functions that can this.</p> </div> </div> <div id="alt292172" class="boxBorderTop row noMargin pt-4"> <div class="col-md-12 text-left"> <i class="far fa-newspaper fa-2x mb-2" style="display:block;color:gray;"></i> </div> <div class="col-md-12"> <p>you can use javascript's escape() and unescape() functions.</p> </div> </div> <div id="alt292173" class="boxBorderTop row noMargin pt-4"> <div class="col-md-12 text-left"> <i class="far fa-newspaper fa-2x mb-2" style="display:block;color:gray;"></i> </div> <div class="col-md-12"> <p>Several things you should be doing:</p> <ul> <li>Strictly whitelist your accepted values, according to type, format, range, etc</li> <li>Explicitly blacklist certain characters (even though this is usually bypassable), IF your whitelist cannot be extremely tight.</li> <li>Encode the values before output, if youre using Anti-XSS you already know that a simple HtmlEncode is not enough</li> <li>Set the src property through the DOM - and <em>not</em> by generating HTML fragment</li> <li>Use the dynamic value <em>only</em> as a querystring parameter, and not for arbitrary sites; i.e. hardcode the name of the server, target page, etc.</li> <li>Is your site over SSL? If so, using a frame may cause inconsistencies with SSL UI...</li> <li>Using named frames in general, can allow Frame Spoofing; if on a secure site, this may be a relevant attack vector (for use with phishing etc.)</li> </ul> </div> </div> <div id="alt292174" class="boxBorderTop row noMargin pt-4"> <div class="col-md-12 text-left"> <i class="far fa-newspaper fa-2x mb-2" style="display:block;color:gray;"></i> </div> <div class="col-md-12"> <p>You can use regular expressions to validate that you have a P followed by 9 integers and that you have 15 alphanumeric values. I think that book that I have at my desk of RegEx has some examples in JavaScript to help you.</p> <p>Limiting the charset to only ASCII values will help, and follow all the advice above (whitelist, set src through DOM, etc.)</p> </div> </div> </div> </div> </div> </div> <div class="row mt-4"> <div class="col-12"> <div class="attribution"> <div>Lizenziert unter: <a href="https://creativecommons.org/licenses/by-sa/3.0/" target="_blank">CC-BY-SA</a> mit <a href="https://stackoverflow.blog/2009/06/25/attribution-required/" target="_blank">Zuschreibung</a></div> <div>Nicht verbunden mit <a href="https://stackoverflow.com/" target="_blank">StackOverflow</a></div> </div> </div> </div> <div id="share"></div> </div> <div class="row mb-4 adv"> <div class="col-md-12 text-center">  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-5108424997424987" data-ad-slot="5412049179" data-ad-format="auto" data-full-width-responsive="true"></ins> <script defer async crossorigin="anonymous">(adsbygoogle=window.adsbygoogle||[]).push({});</script> </div> </div> </div> </div> <aside id="bannerRight" class="col-xs-12 col-md-4 col-lg-3 text-center"> <div class="container mt-4"> <div class="row mb-4 adv"> <div class="col-md-12">  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-5108424997424987" data-ad-slot="1592207755" data-ad-format="auto" data-full-width-responsive="true"></ins> <script defer async crossorigin="anonymous">(adsbygoogle=window.adsbygoogle||[]).push({});</script> </div> </div> <div class="row adv"> <div class="col-md-12">  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-5108424997424987" data-ad-slot="8889943968" data-ad-format="auto" data-full-width-responsive="true"></ins> <script defer async crossorigin="anonymous">(adsbygoogle=window.adsbygoogle||[]).push({});</script> </div> </div> <div class="row topArticoli justify-content-center"> <div class="col-md-12 col-lg-10 pt-4"> </div> </div> </div> </aside> </div> </section>  <footer class="site-footer"> <div class="section-free d-block d-md-flex"> <div class="section-newsletter col"> </div> <div class="col content-free-projects mb-2"> <div> <p class="my-3">Nützliche Links</p> </div> <div class="d-flex justify-content-around"> <div></div> <div> <a class="nav-link" href="https://www.generacodice.com/de/tag">Stichworte</a> <a class="nav-link" href="https://www.generacodice.com/de/site/aboutus">Über uns</a> <a class="nav-link" href="https://www.generacodice.com/de/site/contacts">Kontakte</a> <a class="nav-link" href="https://www.generacodice.com/de/site/privacy">Privatsphäre</a> </div> <div> <a class="nav-link social fb" href="https://www.facebook.com/generacodice" target="_blank"><i class="fab fa-facebook"></i> Facebook</a> <a class="nav-link social instagram" href="https://www.instagram.com/genera_codice" target="_blank"><i class="fab fa-instagram"></i> Instagram</a> </div> <div></div> </div> <div class="small-footer-link d-flex align-items-center justify-content-center"> <form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"> <input type="hidden" name="cmd" value="_s-xclick"/> <input type="hidden" name="hosted_button_id" value="42ZKUPRLM66J2"/> <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_SM.gif" border="0" name="submit" title="PayPal - The safer, easier way to pay online!" alt="Donate with PayPal button"/> </form> </div> </div> </div> <div class="row m-0 justify-content-center text-center p-2"> <div class="col-md-5"> <p>Der Inhalt ist unter Creative Commons lizenziert.</p> <p class="mb-0">Wenn Sie Urheberrechtsverletzungen finden, können Sie uns unter uns kontaktieren <a href="mailto:info@generacodice.com"> info@generacodice.com </a> um die Entfernung des Inhalts zu beantragen.</p> </div> </div> </footer> <div id="scroll-to-top" style="display: block;background:none;"> <img src="https://www.generacodice.com/img/icone/scroll-top.svg" alt="scroll top" style="width:48px;height:48px;background-color:#fff;"/> </div>   <script src="https://www.googletagmanager.com/gtag/js?id=G-PNYLV6VWJG" async crossorigin="anonymous"></script> <script crossorigin="anonymous" defer>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}gtag('js',new Date());gtag('config','G-PNYLV6VWJG');</script>  <script type="application/ld+json" crossorigin="anonymous"> { "@context": "https://schema.org", "@type": "WebSite", "url": "https://www.generacodice.com/", "potentialAction": { "@type": "SearchAction", "target": "https://www.generacodice.com/articolo?ricerca={search_term_string}", "query-input": "required name=search_term_string" } } </script>  <script>var lingua="https://www.generacodice.com/de";</script> <script src="/lib,_wow.min.js+lib,_js.cookie.min.js+js,_form_ricerca.js.pagespeed.jc.0KiD_2eQXU.js"></script><script>eval(mod_pagespeed_2tArbUApc4);</script> <script>eval(mod_pagespeed_Z2DHJDuBN0);</script> <script src="https://cdn.jsdelivr.net/npm/cookie-bar/cookiebar-latest.min.js?customize=1&tracking=1&thirdparty=1&always=1&noGeoIp=1&showNoConsent=1&showPolicyLink=1&privacyPage=https%3A%2F%2Fwww.generacodice.com%2Fsite%2Fprivacy" preload></script> <script>eval(mod_pagespeed_Ac$AupIDDu);</script> <script src="https://kit.fontawesome.com/99a60a9345.js" preload></script> <script defer="defer" preload>//<![CDATA[ var ads=true; //]]></script> <script defer="defer" preload>//<![CDATA[ $(document).ready(function(){getTopArticoli('#bannerRight .topArticoli > div');$("form").submit(function(e){$('input[type=submit]').prop('disabled',true);$('button').prop('disabled',true);$("a:link").css("pointer-events","none");return true;});});$('#scroll-to-top').click(function(){$('body,html').animate({scrollTop:0},500);});function loadJs(){}function getTopArticoli(tag){$.ajax({url:lingua+'/site/top',type:'get',cache:true,async:true,dataType:'html'}).done(function(data){$(tag).html(data);}).fail(function(errore){});}function editor(tag){var basepath=window.location.origin;if(basepath.includes("localhost")||basepath.includes("192.168"))basepath=basepath+'/generacodice/web';sceditor.create(tag,{id:'descrizionePlus',format:'xhtml',style:basepath+'/js/sceditor/minified/themes/content/default.min.css',height:'300px',width:'100%',emoticonsRoot:basepath+'/js/sceditor/',plugins:'dragdrop,undo',dragdrop:{allowedTypes:['image/jpeg','image/png'],isAllowed:function(file){return true;},handlePaste:true,handleFile:function(file,createPlaceholder){var placeholder=createPlaceholder();asyncUpload(file).then(function(url){placeholder.insert('<img src=\''+url+'\' />');}).catch(function(){placeholder.cancel();});}},toolbarExclude:'print,maximize,source,date,time,ltr,rtl,email',resizeEnabled:false,autoUpdate:true});}function scrollPage(tag){$('html, body').animate({scrollTop:$(tag).position().top},2000);} //]]></script> <script src="/assets/44258436/yii.js+yii.validation.js+yii.activeForm.js.pagespeed.jc.UIQXQZzFPV.js"></script><script>eval(mod_pagespeed_Dsgqs7KBvb);</script> <script>eval(mod_pagespeed_wVj1MribpA);</script> <script>eval(mod_pagespeed_kypkLkq6GX);</script> <script defer>//<![CDATA[ $(document).ready(function(){$form=$('#feedback');var memoriaFeedback=Cookies.get('feedback'+$form.find('.idArgomento').val());if(memoriaFeedback&&memoriaFeedback!=undefined){$form.remove();}$form.find('.voto').change(function(){var memoriaFeedback=Cookies.get('feedback'+$form.find('.idArgomento').val());if(memoriaFeedback&&memoriaFeedback!=undefined){alert('Feedback già inviato!');}else{$.ajax({url:lingua+'/articolo/feedback',type:'post',data:$form.serialize(),dataType:'json'}).done(function(data){Cookies.set('feedback'+data.model.idArgomento,data.model.voto);alert('Feedback inviato con successo!');$form.remove();}).fail(function(errore){alert(errore.responseText);});}});}); //]]></script> <script src="/js/articulate.min.js.pagespeed.jm.f_s8Uvt550.js"></script> <script src="/js,_playerTesto.js,q202310021220+lib,_jssocials,_jssocials.min.js.pagespeed.jc.r10qr_CLkW.js"></script><script>eval(mod_pagespeed_3tm2bUePGD);</script> <script>eval(mod_pagespeed_hO8TWP86gO);</script> <script src="/js/sceditor/minified/sceditor.min.js.pagespeed.jm.1C0tswB5Qy.js"></script> <script src="/js/sceditor/minified/formats/xhtml.js.pagespeed.jm.2fxdjjsOWQ.js"></script> <script>//<![CDATA[ $(document).ready(function(){aggiungiTastiCondivisione();var testo=document.getElementById('testo');if(testo!=null&&testo.value==''){editor(testo);}$('#nav-site-menu .nav-item:first').html('');$('#nav-site-menu .nav-item:first').append($('#detailMultilanguage'));});function aggiungiPulsanteCopia(){$('pre').each(function(){$bottone=$('<h4 style="text-align:right;"><button class="btn btn-primary" onclick="copiaCodice(this)"><i class="fas fa-copy"></i></button></h4>');$bottone.insertBefore(this);});}function copiaCodice(element){$tagCodice=$(element).parent().next().children();var $temp=$("<input>");$("body").append($temp);$temp.val($tagCodice.text()).select();document.execCommand("copy");$temp.remove();}function dettagliLetturaArticolo(){$('#content .boxPage').readingTime({readingTimeTarget:$('.eta'),wordCountTarget:$('.words'),wordsPerMinute:275,round:true,lang:'en',success:function(data){},error:function(data){}});}function aggiungiTastiCondivisione(){$('#share').jsSocials({showLabel:true,showCount:false,shareIn:'popup',shares:["email",{share:"twitter",logo:'fab fa-twitter',label:'share on twitter'},{share:"facebook",logo:'fab fa-facebook-f',label:'share on facebook'},{share:"linkedin",logo:'fab fa-linkedin-in',label:'share on linkedin'},]});}function visualizzaPopupRegistrazione(){if($('#registrationModal').length>0&&Cookies.get('registrationModal')==undefined){setTimeout(function(){Cookies.set('registrationModal','true',{expires:7});$('#registrationModal').modal();},2000);}if($('#incompleteArticleModal').length>0){setTimeout(function(){$('#incompleteArticleModal').modal();},2000);}}function commentaArticolo(tipo){$('#answerform-tipo_risposta').val(tipo).change();scrollPage('#rispostaArticolo');} //]]></script> <script>jQuery(function($){jQuery('#feedback').yiiActiveForm([{"id":"feedbackform-pagina","name":"pagina","container":".field-feedbackform-pagina","input":"#feedbackform-pagina","error":".help-block.help-block-error","validate":function(attribute,value,messages,deferred,$form){yii.validation.required(value,messages,{"message":"Pagina darf nicht leer sein."});}},{"id":"feedbackform-idargomento","name":"idArgomento","container":".field-feedbackform-idargomento","input":"#feedbackform-idargomento","error":".help-block.help-block-error","validate":function(attribute,value,messages,deferred,$form){yii.validation.number(value,messages,{"pattern":/^[+-]?\d+$/,"message":"Id Argomento muss eine Ganzzahl sein.","skipOnEmpty":1});}}],[]);jQuery('#w0').yiiActiveForm([],[]);});</script> <script>window.addEventListener('load',function(){var is_adsense_load=0 window.addEventListener('scroll',function(){if(is_adsense_load==0){is_adsense_load=1;var ele=document.createElement('script');ele.async=true;ele.src='https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js' var sc=document.getElementsByTagName('script')[0] sc.parentNode.insertBefore(ele,sc);(adsbygoogle=window.adsbygoogle||[]).push({google_ad_client:"ca-pub-5108424997424987",enable_page_level_ads:true});}})})</script> </body> </html>