å æ¥å ¬éãããã¯ã¦âããã¢ã³ã±ã¼ããã«ã¦ãã¢ã³ã±ã¼ãã®èª¬ææãã¯ã¦ãªè¨æ³ã§æ¸ãããããæ©è½è¿½å ãè¡ã£ãããã®éãTemplate::Plugin::Hatenaãç¨ãããããã¯ãã¯ã¦ãªè¨æ³ãã¼ãµã§ããText::Hatenaï¼æ£ç¢ºã«ã¯ããã®ã´ã¡ã¼ã¸ã§ã³0.16以ä¸ï¼ããTemplate::Toolkitã®ãã©ã°ã¤ã³ã¨ãã¦ä½¿ããããã«ãããã®ã§ããã ã¯ã¦ãªè¨æ³ã¯ãããèªä½ã§å ¨ã¦ã®ææ¸æ§é ã表ç¾ã§ããããããã¯ãã¯ã¦ãªãã¤ã¢ãªã®ã·ã¹ãã èªä½ã¯ãã¯ã¦ãªè¨æ³ã®ã¿ãã許容ããªãã¨ãããã®ã§ã¯ãªãããã¨ãã°ç»åãè²¼ãéã«ã¯ãæ®éã«imgè¦ç´ ãæ¸ãå¿ è¦ãããããã¾ãããã®ä»ã®è¦ç´ ã«ã¤ãã¦ããè¨æ³ãç¨æããã¦ããªããã®ã«ã¤ãã¦ã¯ããã¯ã¦ãªãã¤ã¢ãªã¼ã®ãã«ã - ã¯ã¦ãªãã¤ã¢ãªã¼å©ç¨å¯è½ã¿ã°ãã«æ²è¼ããã¦ãããã®ã«éããèªåã§ã¿ã°ãæ¸ããã¨ãã§ãããããã¯èªç±åº¦ãé«ããåé¢ã§ãXSSãèªçºãå¾ãæ½å¨çãªãª
Internet Explorer ã®æªåé«ã Content-Type: ç¡è¦ã¨ããä»æ§ãå©ç¨ããã¨ãAtom ã RDF/RSS ãå©ç¨ãã¦XSSãçºçã§ãããã¨ãããã¾ããæ¡ä»¶çã«å¯¾è±¡ã¨ãªãWebã¢ããªã±ã¼ã·ã§ã³ã¯å¤ãã¯ãªãã¨æãã¾ãããããã§ãããã¤ã該å½ããWebã¢ããªã±ã¼ã·ã§ã³ãå®å¨ãããã¨ã確èªãã¾ããã以ä¸ã®ä¾ã§ã¯ Atom ã®å ´åã«ã¤ãã¦æ¸ãã¦ãã¾ãã RDF/RSS ã§ãåæ§ã§ãã ä¾ãã°ãhttp://example.com/search.cgi?output=atom&q=abcd ã¨ãã URL ã«ã¢ã¯ã»ã¹ããã¨ããabcdãã¨ããæååã®æ¤ç´¢çµæã Atom ã¨ãã¦è¿ãCGIããã£ãã¨ãã¾ãã GET /search.cgi?output=atom&q=abcd Host: example.com HTTP/1.1 200 OK Content-Type: ap
UTF-7ãå©ç¨ããXSSã¯ãcharset ãæå®ããã¦ããªãå ´åã«çºçããã¨èãããã¦ãã¾ãããå°ãªãã¨ã Internet Explorer ã«ããã¦ã¯ãããã¯å¤§ããªééãã§ããæ£ããã¯ãInternet Explorer ãèªèã§ãã charset ãæå®ããã¦ããªãå ´åã§ãããcharsetãä»å ããã¦ãã¦ããIEãèªèã§ããªãæåã¨ã³ã³ã¼ãã£ã³ã°åã§ããå ´åã«ã¯XSSãçºçãã¾ãã ä¾ãã°ã次ã®ãã㪠HTML ã¯(HTTPã¬ã¹ãã³ã¹ããã㧠charset ãæ示ããã¦ããªãå ´å)IEãæåã¨ã³ã³ã¼ãã£ã³ã°åãæ£ããèªèã§ããªãããããã®å 容ããUTF-7ã¨è§£éãããããã«ã¹ã¯ãªãããåä½ãã¾ãã"utf8"ã¨ãã表è¨ã¯UTF-8ã®æ £ç¨çãªè¡¨ç¾ã§ã¯ããã¾ããããã¤ãã³ãæãã¦ããæ£ãã表è¨ã§ã¯ããã¾ããã <html> <head> <meta http-equiv="Co
ååã¯ã¯ãã¹ãµã¤ãã»ã¹ã¯ãªããã£ã³ã°ã®ããå¼±æ§ãçªãæ»æã®å¯¾çã¨ãã¦ã®HTMLã¨ã³ã³ã¼ãã®æå¹æ§ãè¿°ã¹ãããã ï¼HTMLã¨ã³ã³ã¼ãã ãã§ã¯ã¯ãã¹ãµã¤ãã»ã¹ã¯ãªããã£ã³ã°æ»æãå®å ¨ã«é²å¾¡ãããã¨ã¯ã§ããªããããã§ä»åã¯ï¼HTMLã¨ã³ã³ã¼ãã§å¯¾å¦ã§ããªãã¿ã¤ãã®ã¯ãã¹ãµã¤ãã»ã¹ã¯ãªããã£ã³ã°æ»æã®æå£ã¨ï¼ãã®å¯¾çã«ã¤ãã¦è§£èª¬ããã HTMLã¨ã³ã³ã¼ãã§å¯¾å¦ã§ããªãæ»æã«ã¯ï¼æ¬¡ã®ãããªãã®ãããã ã¿ã°æåã®å ¥åã許容ãã¦ããå ´åï¼Webã¡ã¼ã«ï¼ããã°ãªã©ï¼ CSSï¼ã«ã¹ã±ã¼ãã£ã³ã°ã»ã¹ã¿ã¤ã«ã·ã¼ãï¼ã®å ¥åã許容ãã¦ããå ´åï¼ããã°ãªã©ï¼ æåã³ã¼ããæ示ãã¦ããªãã±ã¼ã¹ã§UTF-7æåã³ã¼ãã«ããã¯ãã¹ãµã¤ãã»ã¹ã¯ãªããã£ã³ã° <SCRIPT>ã®å 容ãåçã«çæãã¦ããå ´å Aã¿ã°ãªã©ã®URLãåçã«çæãã¦ããå ´åæ³¨ï¼ ä»¥ä¸ã§ã¯ï¼HTMLã¿ã°ãCSSã®å ¥åã許容ãã¦ããå ´åã¨ï¼æåã³ã¼ããæ
SessionSafeã¯ããã³ãã«ã°å¤§å¦ã®Martin Johnsãããæ¸ããWeb APã®æ¹å¼æ¡ã§ãã ããWeb APã«XSSèå¼±æ§ããã£ã¦ããããæ»æãããã¨ãã¦ãã ã»ãã·ã§ã³IDãçã¾ããªã å½è©²ãã¼ã¸ä»¥å¤ã®æ å ±ãçªåã»æ¹ç«ãããªã ãã¨ãç®æãã¦ãã¾ãã é¢ç½ããªã¼ã¨æã£ãã®ã§ãå 容ã«ã¤ãã¦å°ãæ¸ãã¾ãã ãªããå è¨äºãé«éæãèªã¿ããã®ã§ããã®æ¥è¨ã®å 容ã«ã¯ééããå«ã¾ãã¦ããããããã¾ãããèå³ã®ããæ¹ã¯åæ¬ãè¦ã¦ãã ããã ã»ãã·ã§ã³IDãçã¾ããªã 以ä¸ã®äºã¤ã®ãã¡ã¤ã³ãããã¨ãã¾ãã www.example.com secure.example.com ã»ãã·ã§ã³IDã®Cookieã¯ãsecureãµããã¡ã¤ã³ã«çºè¡ãã¾ãã Webãã¼ã¸ã表示ããéã¯www.example.comã®URLã«ã¢ã¯ã»ã¹ãã¾ããããã§è¿ãHTMLã«è²ã ã¨ä»æããæ½ãã¾ãã HTMLã®ä»æã
HTML Purifier - Filter your HTML the standards-compliant way! HTML Purifier is a standards-compliant HTML filter library written in PHP. HTMLã許å¯ãã¤ã¤XSS対çãè¡ããPHPã©ã¤ãã©ãªãHTML Purifierãã HTMLãã¡ããã¨ãã¼ã¹ãã¦ãXSSã«é¢ããåé¡ã®ããã¿ã°ãªã©ã¯é¤å»ãã¦è¿ãã¦ããã¾ãã ä¾ãã°ã次ã®ã³ã¼ãã(Before)ã phpspot <a href="hogehoge" onclick="alert('test1');">hogehoge</a> <script type="text/javascript"> <!-- alert("test2"); --> </script> 次ã®ã³ã¼ãã®ããã«ã¯ãªã¼ã³ã«ãªãã¾ãã(A
Firefox2ã§ãhttponlyã使ããã¨ãã話ãè³ã«ãã¾ããã httpOnly - Firefox Add-ons*1 httponlyãããããæ®åãããï¼ ã¨ããã®ã§ãã¿ã«ãã¦ã¿ã¾ãã ãªãããã®æ¥è¨ã¯ãWinXPï¼IE6SP2ç°å¢ãåæã¨ãã¦æ¸ãã¾ããã ã¯ããã« httponlyã¯ãXSSèå¼±æ§ãããç¶æ³ã«ããã¦ããcookieãçªåãããªãããã«ãããã¨ãçã£ãIEã®ç¬èªæ©è½ã§ãã MSDN - Mitigating Cross-site Scripting With HTTP-only Cookies ãã®æ©è½ãæå¹ã«ããããã«ã¯ãçºè¡ããcookieã«httponlyå±æ§ãä»ãã¾ãã Set-Cookie: key=value; domain=example.com; HttpOnly httponlyå±æ§ãä»ããããcookieã¯ãJavaScriptã®docume
ã©ã³ãã³ã°
ã©ã³ãã³ã°
ã©ã³ãã³ã°
ãªãªã¼ã¹ãé害æ å ±ãªã©ã®ãµã¼ãã¹ã®ãç¥ãã
ææ°ã®äººæ°ã¨ã³ããªã¼ã®é ä¿¡
å¦çãå®è¡ä¸ã§ã
j次ã®ããã¯ãã¼ã¯
kåã®ããã¯ãã¼ã¯
lãã¨ã§èªã
eã³ã¡ã³ãä¸è¦§ãéã
oãã¼ã¸ãéã
{{#tags}}- {{label}}
{{/tags}}