javascript - Javascript：网页中与脚本相关的HTML标记的不正确中和（基本XSS）(Javascript: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))

Question

(The bounty expires in 5 days) . ((赏金将 在5天后过期) 。) Answers to this question are eligible for a +100 reputation bounty. (这个问题的答案有资格获得+100声望奖励。) Ziko wants to (reward an existing answer) . (Ziko希望(奖励现有的答案) 。)

I'm spending time trying to fix veracode scan flaw CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).(我花时间试图修复Veracode扫描缺陷CWE-80在网页（基本XSS）中与脚本相关的HTML标签的不正确中和。)

What I do is an HTTP call to my backend in order to open a blob with a download file.(我要做的是对后端进行HTTP调用，以打开带有下载文件的Blob。) const xhr = new XMLHttpRequest(); xhr.open("GET", url, true); xhr.responseType = "arraybuffer"; xhr.onreadystatechange = () => { if (xhr.readyState === 4 && xhr.status === 200) { var windowUrl = window.URL || window.webkitURL; var blobUrl = windowUrl.createObjectURL(new Blob([xhr.response])); const doc = document.createElement('a'); document.body.appendChild(doc); doc.href = blobUrl; if (filename) { doc.download = filename; } doc.click(); windowUrl.revokeObjectURL(url); } } xhr.send(); veracode complains about this line(veracode抱怨这条线) document.body.appendChild(doc); This call to Node.appendChild() contains a cross-site scripting (XSS) flaw.(对Node.appendChild（）的此调用包含跨站点脚本（XSS）缺陷。) The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser.(该应用程序使用不受信任的输入填充HTTP响应，从而使攻击者可以嵌入恶意内容，例如Javascript代码，这些恶意内容将在受害者的浏览器的上下文中执行。) XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.(XSS漏洞通常被利用来窃取或操纵Cookie，修改内容表示并破坏机密信息，并定期发现新的攻击媒介。) Not sure what kind of verification upon my response I need to apply.(不知道我的回复需要什么样的验证。)   ask by Ziko translate from so

Answer 1

This is quite a complex topic, the first line of defence should be to Sanitise the HTML before adding it to the page with a tool like this.(这是一个非常复杂的主题，第一道防线应该是先清理HTML，然后再使用诸如此类的工具将其添加到页面中。)

https://github.com/jitbit/HtmlSanitizer(https://github.com/jitbit/HtmlSanitizer) Wikipedia has a great summary on different prevention techniques.(维基百科对不同的预防技术做了很好的总结。) https://en.wikipedia.org/wiki/Cross-site_scripting#Preventive_measures(https://en.wikipedia.org/wiki/Cross-site_scripting#Preventive_measures) Their is also this Great cheatsheet on XSS prevention(他们也是关于XSS预防的伟大秘诀) https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html(https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)