上下文自动转义是什么意思?
What do we mean by contextually autoescaping?
在阅读有关 Closure Templates 的文章时,我遇到了以下语句:
Closure Templates are contextually autoescaped to reduce the risk of XSS.
据我所知,转义是消除输入字符串中的歧义,如 here 所述。
我不确定这到底是什么意思,也许用真实世界的例子进行解释会很有帮助。
在 this page of the Closure Templates documentation. In particular, look at the example given here 上有更多关于安全和自动转义的详细信息。
您会看到输入 {$x} 的转义方式不同,具体取决于它在模板输出中的插入位置(例如 HTML、JavaScript、CSS等)这就是上下文(即上下文相关)自动转义的意思。
如文档中所述:
- When
{$x} appeared inside HTML text, we entity-encoded it (< → <).
- When
{$x} appeared inside a URL or as a CSS quantity, we rejected it because it had a protocol javascript: that was not http or https, and instead output a safe value #zSoyz. Had {$x} appeared in the query portion of a URL, we would have percent-encoded it instead of rejecting it outright (< → %3C).
- When
{$x} appeared in JavaScript, we wrapped it in quotes (if not already inside quotes) and escaped HTML special characters (< → \x3c).
- When
{$x} appeared inside CSS quotes, we did something similar to JavaScript, but using CSS escaping conventions (< → c ).
The malicious output was defanged.
在阅读有关 Closure Templates 的文章时,我遇到了以下语句:
Closure Templates are contextually autoescaped to reduce the risk of XSS.
据我所知,转义是消除输入字符串中的歧义,如 here 所述。
我不确定这到底是什么意思,也许用真实世界的例子进行解释会很有帮助。
在 this page of the Closure Templates documentation. In particular, look at the example given here 上有更多关于安全和自动转义的详细信息。
您会看到输入 {$x} 的转义方式不同,具体取决于它在模板输出中的插入位置(例如 HTML、JavaScript、CSS等)这就是上下文(即上下文相关)自动转义的意思。
如文档中所述:
- When
{$x}appeared inside HTML text, we entity-encoded it (< →<).- When
{$x}appeared inside a URL or as a CSS quantity, we rejected it because it had a protocoljavascript:that was nothttporhttps, and instead output a safe value#zSoyz. Had{$x}appeared in the query portion of a URL, we would have percent-encoded it instead of rejecting it outright (< → %3C).- When
{$x}appeared in JavaScript, we wrapped it in quotes (if not already inside quotes) and escaped HTML special characters (< → \x3c).- When
{$x}appeared inside CSS quotes, we did something similar to JavaScript, but using CSS escaping conventions (< → c ).The malicious output was defanged.