wangp070533 (王鹏) https://ruby-china.org/wangp070533 en-us 关于有空格的文字列的 XSS 对策案 <pre class="highlight erb"><code><span class="cp">&lt;%=</span> <span class="n">select_tag</span> <span class="s2">"select_name"</span><span class="p">,</span> <span class="n">options_for_select</span><span class="p">(</span><span class="vi">@name_select_list.collect</span><span class="p">{</span><span class="o">|</span><span class="nb">p</span><span class="o">|</span> <span class="p">[</span><span class="nb">p</span><span class="p">[</span><span class="s2">"name"</span><span class="p">],</span> <span class="nb">p</span><span class="p">[</span><span class="s2">"id"</span><span class="p">]]}),</span> <span class="ss">:style</span> <span class="o">=&gt;</span> <span class="s2">"width:200px"</span><span class="p">,</span> <span class="ss">:prompt</span> <span class="o">=&gt;</span> <span class="no">I18n</span><span class="p">.</span><span class="nf">t</span><span class="p">(</span><span class="s1">'labels.items.all'</span><span class="p">)</span> <span class="cp">%&gt;</span> </code></pre> <p>p["name"] = "&nbsp;&nbsp;&nbsp;alert(9999)"</p> <p>期待値:下拉菜单里显示 </p> <pre class="highlight erb"><code>” <span class="nt">&lt;script&gt;</span><span class="nf">alert</span><span class="p">(</span><span class="mi">9999</span><span class="p">)</span><span class="nt">&lt;/script&gt;</span>” </code></pre> <p>対策案:</p> <pre class="highlight erb"><code>①<span class="cp">&lt;%=</span> <span class="n">select_tag</span> <span class="s2">"select_name"</span><span class="p">,</span> <span class="n">options_for_select</span><span class="p">(</span><span class="vi">@name_select_list.collect</span><span class="p">{</span><span class="o">|</span><span class="nb">p</span><span class="o">|</span> <span class="p">[(</span><span class="n">sanitize</span> <span class="nb">p</span><span class="p">[</span><span class="s2">"name"</span><span class="p">]),</span> <span class="nb">p</span><span class="p">[</span><span class="s2">"id"</span><span class="p">]]}),</span> <span class="ss">:style</span> <span class="o">=&gt;</span> <span class="s2">"width:200px"</span><span class="p">,</span> <span class="ss">:prompt</span> <span class="o">=&gt;</span> <span class="no">I18n</span><span class="p">.</span><span class="nf">t</span><span class="p">(</span><span class="s1">'labels.items.all'</span><span class="p">)</span> <span class="cp">%&gt;</span> </code></pre> <p>結果:下拉菜单里显示</p> <pre class="highlight erb"><code>” alert(9999)” </code></pre><pre class="highlight erb"><code>②<span class="cp">&lt;%=</span> <span class="n">select_tag</span> <span class="s2">"select_name"</span><span class="p">,</span> <span class="n">options_for_select</span><span class="p">(</span><span class="vi">@name_select_list.collect</span><span class="p">{</span><span class="o">|</span><span class="nb">p</span><span class="o">|</span> <span class="p">[</span><span class="nb">p</span><span class="p">[</span><span class="s2">"name"</span><span class="p">],</span> <span class="nb">p</span><span class="p">[</span><span class="s2">"id"</span><span class="p">]]}),</span> <span class="ss">:style</span> <span class="o">=&gt;</span> <span class="s2">"width:200px"</span><span class="p">,</span> <span class="ss">:prompt</span> <span class="o">=&gt;</span> <span class="no">I18n</span><span class="p">.</span><span class="nf">t</span><span class="p">(</span><span class="s1">'labels.items.all'</span><span class="p">)</span> <span class="cp">%&gt;</span> </code></pre> <p>結果:下拉菜单里显示 </p> <pre class="highlight erb"><code>”<span class="ni">&amp;nbsp;&amp;nbsp;&amp;nbsp;</span><span class="nt">&lt;script&gt;</span><span class="nf">alert</span><span class="p">(</span><span class="mi">9999</span><span class="p">)</span><span class="nt">&lt;/script&gt;</span>” </code></pre> <p>有能完美解决的方案吗?</p> wangp070533 Wed, 05 Dec 2018 16:52:18 +0800 https://ruby-china.org/topics/37858 https://ruby-china.org/topics/37858