Is <span xss=removed> safe for sanitize?

Is safe for sanitize?

2020-06-21 06:08发布

I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users.

Many of the attributes CKEditor can control are being lost when I display them as:

<%= sanitize(profile.body) %>

My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about!

标签： ruby-on-rails ruby-on-rails-3 sanitize html-safe

1条回答

该账号已被封号

2楼-- · 2020-06-21 06:30

is it safe to allow the attribute 'style' to be parsed?

No.

background-image: url(javascript:[code]);
width: expression([code]);                  /* ie */
behavior: url([link to code]);              /* ie */
-moz-binding: url([link to code]);          /* ff */

Not to mention UI-spoofing attacks like positioning a false login form over a real one or something.

0人赞添加讨论(0) 举报

Is safe for sanitize?

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间