GitHub - mikewest/purification
Various web applications often need to work with strings of HTML on the client-side. This might take place, for instance, as part of a client-side templating solution or perhaps come to play through the process of rendering user-generated content. The key problem is that it remains difficult to perform these tasks in a safe way. This is specifically the case because the naive approach of joining s
Masato Kinugawa Security Blog: Referreræ–‡å—列ã«ã‚ˆã‚‹XSS
リファラを使ã£ãŸXSSã®å°ãƒã‚¿ã§ã™ã€‚ 今回å–り上ã’ã‚‹ã®ã¯ã€ã‚¿ãƒ¼ã‚²ãƒƒãƒˆè‡ªèº«ãŒã€ç´°å·¥ã—ãŸãƒšãƒ¼ã‚¸ã‚’経由ã™ã‚‹ã“ã¨ã§ã¤ã‘られãŸãƒªãƒ•ã‚¡ãƒ©ã«ã‚ˆã£ã¦æ”»æ’ƒã‚’å—ã‘るケースã§ã™ã€‚ã“ã®ã‚ˆã†ãªæ”»æ’ƒã®å ´åˆã¯ã€ç¾å®Ÿã«çµŒç”±å¯èƒ½ãªãƒšãƒ¼ã‚¸ã‹ã‚‰ã§ã—ã‹æ”»æ’ƒæ–‡å—列をé€ã‚Šã“ã‚€ã“ã¨ãŒã§ãã¾ã›ã‚“。 例ãˆã°ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ã€document.referrerã‚’ãã®ã¾ã¾document.write()ã—ã¦ã„るページãŒã‚ã‚‹ã¨ã—ã¾ã™ã€‚ http://vulnerabledoma.in/location/ リファラを書ã出ã—ã¦ã„る部分ã§XSSã§ãã‚‹ã§ã—ょã†ã‹ã€‚ IEã§ã¯å˜ç´”ã§ã™ã€‚ IEã¯URLã®ã‚¯ã‚¨ãƒªã«ã€ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã›ãšã«ã€Œ"<>ã€ãªã©ã‚’å«ã‚ã‚‹ã“ã¨ãŒã§ãã‚‹ã®ã§ã€ã“れらをå«ã‚€URLã‹ã‚‰ã€ãƒªãƒ•ã‚¡ãƒ©ã‚’書ã出ã—ã¦ã„るページã¸é·ç§»ã•ã›ã‚Œã°ã€XSSãŒèµ·ãã¾ã™ã€‚ http://l0.cm/xss_referrer.html?<script>alert(1)</sc
1
ランã‚ング
ランã‚ング
ランã‚ング
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
処ç†ã‚’実行ä¸ã§ã™
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
https://wicg.github.io/purification/
Chrome Platform Status
blink-dev › Intent to Prototype: Sanitizer API | Google グループ
Guidelines for Setting Security Headers | Veracode
{{#tags}}- {{label}}
{{/tags}}