我正在使用Reactfor a front-end和NodeJS MySQLfor back-end開發一個簡單的 post 應用程式。考慮到安全性,我想知道應該在哪里進行用戶輸入清理——在React 表單組件級別的客戶端,還是在NodeJS用戶發送資料后的代碼中的服務器端?我特別詢問xss攻擊,例如防止將JS代碼發布為帖子內容/正文。
uj5u.com熱心網友回復:
在將資料發送到服務器之前,不要在客戶端進行清理——客戶端可以自由地運行他們想要的任何 JavaScript 驗證代碼(包括沒有),并可以隨意發布到您的服務器。
一個好的方法是盡快安全地進行消毒。這樣做將導致您的資料庫將存盤經過清理的值,這意味著安全性將不依賴于在從資料庫中呈現某些內容時還記得在客戶端上進行清理。但是,在渲染時對客戶端進行清理也不會造成任何損害 - 它不會增加任何明顯的開銷,并且會提供一個額外的層,以防萬一您有一個端點在保存到之前錯誤地沒有清理資料庫。
uj5u.com熱心網友回復:
If you are letting React do the DOM manipulation itself rather than doing it by hand imperatively you don't have a lot to worry about. As long as you stay away from things like dangerouslySetInnerHTML or mutating the DOM by hand.
That being said, there are some things that you can adopt to make it even safer like using DOMPurify when you have no alternative to dangerouslySetInnerHTML.
You could also sanitize user generated content before persisting it to the database to not only prevent XSS but any sort of RCE if you know these values might be consumed by other programs and want to be defensive. But for XSS in React I wouldn't worry too much, It's only through the escape hatches in React that you would manage to get yourselve into an XSS issue.
Here is a good read on the topic https://www.stackhawk.com/blog/react-xss-guide-examples-and-prevention
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/449192.html
