create account

Prevent Cross Site Scripting (XSS) by shogo

View this thread on: hive.blogpeakd.comecency.com
jp-dev · @shogo · (edited)
$3.19
Prevent Cross Site Scripting (XSS)
<center>
![Cross site scripting.png](https://cdn.steemitimages.com/DQmV2AV3tBtjBrmYDB33d18ZCLFp9PQ7TDAKn117fEG3jDV/Cross%20site%20scripting.png)
</center>

こんにちは、 @shogoです。

WEBアプリケーションを開発していて、気になるのがSecurityです。

Steemアプリケーション開発においては、XSS攻撃を頭に入れておいた方がよいかもしれません。

<center>
![プレゼンテーション1.png](https://cdn.steemitimages.com/DQmRvq2qkSy5QqCLYCzHpS3M1FPE1Ai6pLXM1c2MTzW8y2V/%E3%83%97%E3%83%AC%E3%82%BC%E3%83%B3%E3%83%86%E3%83%BC%E3%82%B7%E3%83%A7%E3%83%B31.png)
</center>

Steemブロックチェーンから投稿を取得して、動的にHTMLを生成する場合、Sanitize (HTMLタグを限定する)してあげた方が良いです。

marked.jsを利用している場合は、以下のような感じでサニタイズすることができます。

```
marked(result.body, {sanitize: true})
```
<br>

しかし、この方法だと記事の表示に必要なタグも禁止されてしまう場合があるので、新たにコードを追加します。

簡単なのは、以下のようなライブラリを使うことですね。

https://github.com/punkave/sanitize-html

---

Steemit.comの記事表示では、scriptタグは表示されないようになっていました。

しかしjavascriptコードを埋め込む方法は色々あるので、最低限の対策は必要そうです。

間違っている点がございましたら、教えて頂けると嬉しいです!

![steemgif.gif](https://cdn.steemitimages.com/DQmfT1ff4qcYsU6XBguqfYVryQZBFJRLwX3giwtWbQv9r9t/steemgif.gif)
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
👎  
properties (23)
authorshogo
permlinkprevent-cross-site-scripting-xss
categoryjp-dev
json_metadata{"community":"busy","app":"steemit/0.1","format":"markdown","tags":["jp-dev","japanese","busy","steem","jjm"],"users":["shogo"],"links":["https://github.com/punkave/sanitize-html"],"image":["https://cdn.steemitimages.com/DQmV2AV3tBtjBrmYDB33d18ZCLFp9PQ7TDAKn117fEG3jDV/Cross%20site%20scripting.png","https://cdn.steemitimages.com/DQmRvq2qkSy5QqCLYCzHpS3M1FPE1Ai6pLXM1c2MTzW8y2V/%E3%83%97%E3%83%AC%E3%82%BC%E3%83%B3%E3%83%86%E3%83%BC%E3%82%B7%E3%83%A7%E3%83%B31.png","https://cdn.steemitimages.com/DQmfT1ff4qcYsU6XBguqfYVryQZBFJRLwX3giwtWbQv9r9t/steemgif.gif"]}
created2019-03-30 14:06:39
last_update2019-03-30 14:41:03
depth0
children4
last_payout2019-04-06 14:06:39
cashout_time1969-12-31 23:59:59
total_payout_value2.547 HBD
curator_payout_value0.645 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length997
author_reputation63,776,063,283,749
root_title"Prevent Cross Site Scripting (XSS)"
beneficiaries
0.
accountbusy.org
weight1,000
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id82,202,518
net_rshares5,170,902,347,814
author_curate_reward""
vote details (57)
@anmitsu · 
!sneeze 花粉症とか防げたらいいですね
properties (22)
authoranmitsu
permlinkre-shogo-prevent-cross-site-scripting-xss-20190401t101752769z
categoryjp-dev
json_metadata{"community":"busy","app":"busy/2.5.6","format":"markdown","tags":["jp-dev"],"users":[],"links":[],"image":[]}
created2019-04-01 10:17:54
last_update2019-04-01 10:17:54
depth1
children2
last_payout2019-04-08 10:17:54
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length22
author_reputation4,043,053,357,511
root_title"Prevent Cross Site Scripting (XSS)"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id82,299,101
net_rshares0
@shogo · 
花粉症はかなり辛いので防ぎたいですね :DD
@anmitsuさんは、花粉症ですか??
!SSS
properties (22)
authorshogo
permlinkre-anmitsu-re-shogo-prevent-cross-site-scripting-xss-20190402t032716520z
categoryjp-dev
json_metadata{"tags":["jp-dev"],"users":["anmitsu"],"app":"steemit/0.1"}
created2019-04-02 03:27:18
last_update2019-04-02 03:27:18
depth2
children1
last_payout2019-04-09 03:27:18
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length48
author_reputation63,776,063,283,749
root_title"Prevent Cross Site Scripting (XSS)"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id82,344,678
net_rshares0
@shogo.life · 
Dear anmitsu, The SSS is on its way!
properties (22)
authorshogo.life
permlinkre-re-anmitsu-re-shogo-prevent-cross-site-scripting-xss-20190402t032716520z-20190402t032733z
categoryjp-dev
json_metadata"{"app": "beem/0.20.19"}"
created2019-04-02 03:27:39
last_update2019-04-02 03:27:39
depth3
children0
last_payout2019-04-09 03:27:39
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length36
author_reputation6,302,148,905
root_title"Prevent Cross Site Scripting (XSS)"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id82,344,703
net_rshares0
@king-of-disease ·
king-of-disease-1554113878688
You have been infected by the [***King of Disease!***](https://steempeak.com/@king-of-disease/beware-the-steem-plague-is-here)

Will you quarantine yourself?

Or will you spread the plague?

<center>![King Of Disease](http://minnowshares.net/king-of-disease.png)</center>
properties (22)
authorking-of-disease
permlinkking-of-disease-1554113878688
categoryjp-dev
json_metadata{"app":"king-of-disease/1.33.7","format":"markdown","tags":["king-of-disease"]}
created2019-04-01 10:17:57
last_update2019-04-01 10:17:57
depth1
children0
last_payout2019-04-08 10:17:57
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length277
author_reputation735,236,958,306
root_title"Prevent Cross Site Scripting (XSS)"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id82,299,103
net_rshares0
Help/Feedback