Is HTML5's contenteditable attribute supposed to be XSS safe?
537 观看
1回复
1947 作者的声誉
I have read the somewhat related question div contenteditable, XSS, but its answers do not highlight much about the XSS saftey of contenteditable. In particular with regards to accidental (as compared to intential cross-site-scripting). I am, of course, aware that I should sanitize user input server-side.
TL.DR.: Can I be certain that the user does not stand risk to introduce some external script(i.e. via data pasted from the clipboard) via a page Element being set contenteditable
? Does the spec make certain that any markup pasted to the contenteditable is sanitized before being inserted into the DOM?
I have noticed that on two major Browsers I tested, Chromium/Chrome and Firefox, that it seems to be impossible to accidentally insert an active Elements into the contenteditable
tag. An example for such an accedental insertion I would have imagined to be for instance:
- user copies a Selection of DOM Elements from one webpage and inserts them into the
contenteditable
Element on another site. - user does (on linux command line)
echo "<b onclick='alert("XSS");'>click me</b>" | xclip -t text/html -selection "clipboard"
and pastes that into thecontenteditable
.
An active element would be anything like:
- html markup containing a
<script>
- html markup containing elements with inline handlers such as
onclick="alert(\"XSS\");"
- html markup containing javascript hrefs such as
<a href="javascript:alert(\"XSS\")"> click me </a>
Now my question is, seeing that contenteditable seems somewhat safe from having any normal XSS vector being pasted into, if that is by design?
I have read some specs/refs/whatever where it does neither explicitly mention that contenteditable
should prevent any active Element being inserted into the DOM of the page, neither that it would be allowed. This leaves me in doubt if I should use the contenteditable feature, as I do not want to risk some external javascript being inserted into contenteditable
. Answer this XSS safety of contenteditable
is the core of this question.
Update
In contrast to the contenteditable
attribute the similar feature documents designMode
, seems to be specific (see https://www.w3.org/TR/2008/WD-html5-20080610/web-browsers.html#designModeScriptBlocked) about the javascript being disabled (hence XSS prevented).
UPDATE 2
The most recent reference/spec cited on MDN is https://html.spec.whatwg.org/multipage/interaction.html#contenteditable
which is oddly indifferent about any guarantees that contenteditable
provides to not introduce malicous javascript via paste.
回应 1
0像
6109 作者的声誉
There is no standard which browsers must adhere to, so each browser will have its own implementation for handling user input. And if there is a way, you can be sure users will figure out how to do it (older browsers are usually the most susceptible). It's up to you to sanitize the user's input, whether it be from typing, pasting, etc. (I had to do this for a project, there's no way you can rely on it "just working").
As for designMode, the part you linked:
When a script is to be executed in a script execution context in which scripting is disabled, the script must do nothing and return nothing (a void return value).
Thus, for instance, enabling designMode will disable any event handler attributes, event listeners, timeouts, etc, that were set by scripts in the document.
This would make it appear designMode makes you "safe", but remember, specifications evolved over time, so without going back and testing all of the various browsers (or at least the ones your users have), you can never be sure.
作者: skyline3000 发布者: 2017 年 12 月 27 日来自类别的问题 :
- javascript 如何检测网页中使用了哪一个定义的字体?
- javascript JavaScript对象的长度
- javascript 从下拉框中获取文本
- javascript 带隐藏按钮的登录脚本
- html5 HTML 4和HTML 5之间的主要区别是什么?
- html5 HTML文本输入仅允许数字输入
- html5 我应该使用'name'或'id'制作HTML Anchor吗?
- html5 我应该将输入元素放在标签元素内吗?
- xss 如何在tomcat / java webapps中配置HttpOnly cookie?
- xss XSS黑名单 - 有人知道合理的吗?
- xss How can I sanitize user input with PHP?
- xss 处理安全性的最佳方法,并避免使用用户输入的URL进行XSS
- contenteditable 如何将光标移动到可信实体的末尾
- contenteditable 如何制作tab键在contentEditable div中插入制表符?
- contenteditable 限制ContentEditable div中的字符数
- contenteditable 当我击中太空时,Contenteditable会增加一个<br>
- sanitization 我可以通过使用单引号转义单引号和周围用户输入来防止SQL注入吗?
- sanitization 在经典asp中消毒输入的好方法
- sanitization 检测文本字符串中的(顽皮或漂亮)URL或链接
- sanitization 用于文件名的字符串清理程序