Preventing XSS (and other attacks) in XSLT generated content
I have an XSLT stylesheet that processes an XML document to produce HTML.
I've realised that it's possible to manipulate the site in such a way that the user can supply 开发者_开发技巧whatever XML they like - unfortunately this is unavoidable, and so I would like to protect myself from XSS (and other attacks) by ensuring that my XSLT stylesheet is capable of safely processing any document.
What do I need to be aware of to achieve this?
UPDATE:
I know that by default XSLT escapes output (which can be disabled by using the disable-output-escaping
attribute) - is this enough to prevent someone from being able to inject malicious HTML elements and attributes?
If you are processing XML data from an untrusted source and displaying the result on your website, always remember that it is not to be trusted.
- You should never use xsl:copy or xsl:copy-of. If you copy nodes other than text directly, XSS attacks will be possible.
- You should not use complicated or recursive rules. Specially crafted input can create a DoS by delaying the XSLT processing or making the processor crash.
- Also, like you mentioned, do not disable output escaping.
If you are passing the result of the transformation to an SQL server, you should not put any of the provided data in your SQL query.
For example, this is BAD:
<xsl:if test="@order">ORDER BY <xsl:value-of select="@order"/></xsl:test>
This is GOOD:
<xsl:if test="@order">ORDER BY
<xsl:chose><xsl:when test="@order = 'foo'">foo</xsl:when> [...] </xsl:chose>
</xsl:test>
If you really need to pass data to your query, use bind variables.
精彩评论