CN103577188B - The method and device of defence cross-site scripting attack - Google Patents
The method and device of defence cross-site scripting attack Download PDFInfo
- Publication number
- CN103577188B CN103577188B CN201310507467.0A CN201310507467A CN103577188B CN 103577188 B CN103577188 B CN 103577188B CN 201310507467 A CN201310507467 A CN 201310507467A CN 103577188 B CN103577188 B CN 103577188B
- Authority
- CN
- China
- Prior art keywords
- environment
- variable
- template file
- variables
- escape mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000013461 design Methods 0.000 claims abstract description 13
- 230000000877 morphologic effect Effects 0.000 abstract 1
- 230000006870 function Effects 0.000 description 9
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000002759 woven fabric Substances 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of method and device defending cross-site scripting attack, belong to technical field of website design.Described method includes: webpage design template file carries out morphological analysis, obtains the UI variable in template file;Obtain the semantic environment that each UI variable is residing in template file;Obtain the escape mode corresponding with the semantic environment residing for each UI variable;Described escape mode is added in the template file of described UI variable place so that after template file after adding escape mode reaches the standard grade, corresponding UI variable being carried out escape according to described escape mode.In accordance with the invention it is possible to safety when improving the output of UI variable, thus effectively defend cross-site scripting attack.
Description
Technical Field
The invention relates to the field of webpage design, in particular to a method and a device for defending cross-site scripting attack.
Background
In Web development, security problems caused by user input become more serious as more and more places are available for user input. One common security problem is Cross site scripting (XSS), which is an XSS attack in which a malicious attacker embeds a malicious html code into a Web page, and when a user browses the Web page, the html code embedded therein is executed, thereby achieving the special purpose of the malicious user. XSS attacks can steal the account number of the user and acquire the authority of the administrator, thereby causing very serious consequences. How to rapidly and safely solve the XSS safety problem is very important in webpage development.
One solution in the prior art is to scan the online service through some tools, some malicious codes are carried in the scanning process, and if the returned content does not remove or transcode the content corresponding to the malicious codes, the website has an XSS security problem. This solution, although it may find some problems in the line, has the following drawbacks: the code is scanned after being on line, and some security holes can be utilized by people; scanning is a black box mechanism and does not find all the problems.
Another scheme in the prior art is to perform unified transcoding on User Interface (UI) variables transferred to a web page design template at a back-end logic layer, where the transcoding is performed using a general escape function, so that the UI variables can be transferred to the template as safely as possible. However, in specific implementation, it is found that after the scheme is adopted, a plurality of XSS safety problems still exist.
Disclosure of Invention
In view of the above, the present invention has been developed to provide a method and apparatus for protecting against cross-site scripting attacks that overcomes, or at least partially solves, the above-mentioned problems.
According to one aspect of the invention, a method for defending cross-site scripting attack is provided, and comprises the following steps:
performing lexical analysis on the webpage design template file to obtain a User Interface (UI) variable in the template file;
acquiring the semantic environment of each UI variable in the template file;
acquiring an escape mode corresponding to the semantic environment where each UI variable is located;
and adding the escape mode to the template file where the UI variable is located so that the template file added with the escape mode is online, and then escaping the corresponding UI variable according to the escape mode.
Optionally, the semantic environment comprises one or more of:
an HTML environment in which UI variables are used in HTML page tags or tag attribute values;
a JS environment in which the UI variable is used in the JS code;
a Data environment in which UI variables are inserted into the string using innerHTML in a JS environment;
URL environment in which UI variables are used in the parameters of the template link address URL;
the method comprises the following steps that an event environment is adopted, and UI variables in the environment are used in event function parameters of HTML page tags;
and (4) a callback environment, wherein the UI variable in the environment is a callback parameter transmitted by the browser end.
Optionally, the method further comprises: establishing a corresponding relation between a semantic environment and an escape mode;
the acquiring of the escape mode corresponding to the semantic environment where each UI variable is located comprises: and acquiring an escape mode corresponding to the semantic environment where each UI variable is located according to the corresponding relation.
Optionally, the template file is a Smarty template file.
According to another aspect of the present invention, there is provided an apparatus for defending against cross-site scripting attack, comprising:
the lexical analysis unit is suitable for carrying out lexical analysis on the webpage design template file to obtain a User Interface (UI) variable in the template file;
the semantic environment acquisition unit is suitable for acquiring the semantic environment of each UI variable in the template file;
the escape mode acquisition unit is suitable for acquiring an escape mode corresponding to the semantic environment where each UI variable is located;
and the escape mode adding unit is suitable for adding the escape mode to the template file where the UI variable is located so that the corresponding UI variable is escaped according to the escape mode after the template file added with the escape mode is online.
Optionally, the semantic environment comprises one or more of:
an HTML environment in which UI variables are used in HTML page tags or tag attribute values;
a JS environment in which the UI variable is used in the JS code;
a Data environment in which UI variables are inserted into the string using innerHTML in a JS environment;
URL environment in which UI variables are used in the parameters of the template link address URL;
the method comprises the following steps that an event environment is adopted, and UI variables in the environment are used in event function parameters of HTML page tags;
and (4) a callback environment, wherein the UI variable in the environment is a callback parameter transmitted by the browser end.
Optionally, the apparatus further comprises a correspondence relationship establishing unit adapted to establish a correspondence relationship between the semantic environment and the escape manner;
the escape mode acquiring unit is further adapted to: and acquiring an escape mode corresponding to the semantic environment where each UI variable is located according to the corresponding relation.
Optionally, the template file is a Smarty template file.
According to the technical scheme of the embodiment of the invention, the UI variable output in the template code is found out by analyzing the template code, the semantic environment of the UI variable in the template file is correctly identified, and the escape mode corresponding to the semantic environment is added in the template file, so that the security of the UI variable output can be improved by escaping in combination with the semantic environment in the template layer, and the cross-site scripting attack is effectively prevented.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a flow diagram of a method of defending against cross-site scripting attacks, according to one embodiment of the invention;
FIG. 2 illustrates a block diagram of an apparatus for defending against cross-site scripting attacks, according to one embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In order to defend cross-site scripting attack, one scheme in the prior art is to perform uniform transcoding on UI variables transmitted into a webpage design template through a logic layer at the back end, wherein the transcoding is performed by using a general escape function, and still more XSS security problems exist.
Aiming at the problem, after theoretical analysis and a large number of experiments, the inventor of the application finds that the scheme is to perform escape in a logic layer, and although many UI variables can be safely output, the logic layer cannot sense the semantic environment of the UI variables in a template, and can only perform uniform transcoding on all the UI variables, so that the escape mode (escape function) used by some UI variables is incorrect or inaccurate, and the safety problem still exists when some UI variables are output.
Therefore, the embodiment of the invention provides a method and a device for defending against cross-site scripting attack, which are characterized in that a UI variable output in a template code is found out by analyzing the template code, the semantic environment of the UI variable in a template file is correctly identified, and an escape mode corresponding to the semantic environment is added in the template file, so that each UI variable can be escaped by using the correct escape mode by combining the semantic environment in a template layer, the safety of the UI variable during output can be improved, and the cross-site scripting attack is effectively defended.
FIG. 1 shows a flow diagram of a method of defending against cross-site scripting attacks, according to one embodiment of the invention. Referring to fig. 1, the method may include:
102, performing lexical analysis on a webpage design template file to acquire User Interface (UI) variables in the template file;
the template is a strategy for separating a data presentation layer and a logic layer, wherein the presentation layer realizes that page data is presented according to a preset mode, and the logic layer is a source of the data presented by the page. The webpage design template is an html file embedded with UI variables transmitted by the logic layer. The UI variable is an object for the UI to analyze and is also a carrier for acquiring page dynamic data. The template file can be a Smarty template file or other types of template files.
By performing lexical analysis on the template file, the UI variables in the template file can be obtained. There are various algorithms for performing lexical analysis on the template file to obtain the UI variables included therein, and the specific lexical analysis algorithm is not limited in the embodiment of the present invention.
104, acquiring the semantic environment of each UI variable in the template file;
as described above, the template file is an html file in which UI variables are embedded, and the same type of statements or predetermined portions of the statements in the html file can be used as a semantic environment.
Step 106, acquiring an escape mode corresponding to the semantic environment where each UI variable is located;
step 108, adding the escape mode to the template file of the UI variable so that the template file added with the escape mode is online, and then performing escape on the corresponding UI variable according to the escape mode
According to the embodiment of the invention, because the UI variable is transferred in the template layer, the UI variable can be transferred by combining the semantic environment of the UI variable, compared with the prior art which adopts a uniform transfer mode, the transfer mode is refined, so that the corresponding transfer mode (transfer function) can be completely and correctly used, the safety of the UI variable output is improved, and the cross-site scripting attack is effectively prevented
Optionally, the method further comprises: and establishing a corresponding relation between the semantic environment and the escape mode. In this way, in step 106, the escape manner corresponding to the semantic environment where each UI variable is located may be obtained according to the correspondence.
For example, the template file adopts a Smarty template file, namely a smart engine, and left and right delimiters of UI variables in the Smarty template file are {% and% }, such as: { $ title% }, { $ smart.get.callback% }, all variables are UI variables. In the Smarty template file, the corresponding relations between the semantic environment and the escape mode are as follows:
1. HTML environment
UI variables in this environment are used in HTML page tags or in tag attribute values, such as:
<title>{%$title%}</title>
or,
<input type="text”value=“{%$value%}”name="f_name"/>
under such circumstances, it is necessary to respectively convert '<', '>', '","' into '<' >, respectively ',' >) ', "')" "," & # 39; the above-mentioned correspondence relationship between the escaped character and the escaped character can be stored (packaged) as an escape manner in a file, for example, escape _ HTML, that is, escape _ HTML is an escape manner file in the HTML environment.
2. JS Environment
UI variables in this environment are used in js (javascript) code, i.e., < script > tags, as follows:
<script>
var name=“{%$name%}”;
</script>
in this environment, "\ \", "',", "", "\\/", "\ \ n", "\\ \ v," \\\/"," \ \ n "," \\ \ r ", respectively, needs to be transcribed into a file, such as escape _ JS, as a kind of escape way, the correspondence between the transcribed characters and the transcribed characters can be stored (encapsulated) as an escape way in a file, such as escape _ JS, that is, escape _ JS is an escape way file in the JS environment.
3. Data environment
The UI variables in this environment are inserted into the string using the innerHTML in the JS environment, as:
<script>
qw.g ("tip"). innerHTML ═ your good |! Welcome to "+" { $ value% } ";
</script>
in this context, the '\\ \', '"'," ","/"are to be respectively transcribed into '\\ \ \', and ',' >) ',' the key points of the Chinese character 'jia' ', ' and ' \\& # 39; "\\ n", "\\ r", "\\\/", the correspondence between the above-mentioned escape character and the escape character can be stored (encapsulated) as an escape mode in a file such as escape _ Data, that is, escape _ Data is an escape mode file in the Data environment.
4. url environment
The UI variables in this environment are used in the parameters of the template link address URL, such as:
<a href=“{%$path%}”target=“_blank”>welefen</a>
in this environment, special characters such as chinese need to be escape into an entity character, and the correspondence between the escaped special character and the character after escape can be stored (packaged) as an escape manner in a file such as escape _ url, that is, escape _ url is an escape manner file in url environment.
5. event environment
UI variables in this environment are used in the event function parameters of HTML page tags, such as:
<body>
"input type ═ button" onclick ═ checkV ({% $ arg% }'), "value ═ submission"/>, and
</body>
in this context, it is necessary to refer to ' \\ \ ', ' "," "," ', "," ' r "" and/"" as ' \\ \ \ ', ' & ' respectively ',' woven fabric ',' >) ',' the key points of the Chinese character 'jia' ', ' and ' \\& # 39; "\\ n", "\\ r", "\\\/", the correspondence between the above-mentioned escaped character and the escaped character can be stored (encapsulated) as an escape manner in a file such as escape _ event, that is, escape _ event is an escape manner file in the event environment.
6. callback environment
The UI variables in this environment are callback parameters transferred by the browser, such as:
{%$smarty.get.callback%}()
generally, the space, the <, >, ", + and other special characters need to be filtered (deleted), and the corresponding relationship between the escaped character and the escaped character (which is empty) can be stored (packaged) as an escape way in a file, such as escape _ callback, that is, the escape _ callback is an escape way file in the callback environment.
An application example of the present invention is given below.
Assume that the template file has the following code:
{%$smarty.get.callback%}({%$pars|no_escape%})
<div>{%$name%}</div>
<div title=″{%$title%}″>welefen</div>
<a href=″{%$url%}″>welefen</a>
<a onclick=″foo(′{%$bar%}′)″>suredy</a>
<script type=″text/javascript">
var value=′{%$js_value%}′;
</script>
the template file is a section of html text containing smart template grammar, and the UI variables obtained by lexical analysis of the content are as follows: get. callback, $ parts, $ name, $ title, $ url, $ bar, $ js _ value. In addition, in the template file, for UI variables (for example, security variables) that do not need to be escaped, corresponding identifiers, for example, no _ escape, may be added after the variables for explanation. In the template file, the $ pars variable is a safety variable, and a no _ escape is added to the safety variable for modification, so that the variable does not need to be escaped.
From the semantic context listed above, it can be known that:
1. the variables of the HTML environment are: $ pars, $ name, $ title
2. The variables of the JS environment are: is _ value
3. The variables of the url environment are: $ url
4. The variables of the event environment are: $ bar
5. Variables for the cathback environment are: get, callback
Exemplary code that analyzes the UI variable semantic environment is as follows:
since the $ pars variable is followed by no _ escape
The modification is performed, indicating that the variable is a security variable and does not require an escape.
After the semantic environment of each UI variable is analyzed, the corresponding escape mode can be used for escaping, and the escaped contents are as follows:
{%$smarty.get.callback|escape_callback%}({%$pars|no_escape%})
<div>{%$name|escape_html%}</div>
<div title=″{%$title|escape_html%}″>welefen</div>
<a href=″{%$url|escape_path%}″>welefen</a>
<a onclick=″foo(′{%$bar|escape_event%}′)″>suredy</a>
<script type=″text/javascript">
var value=′{%$js_value|escape_js%}′;
</script>
therefore, the XSS problem can be basically eliminated by putting the automatically-escaped codes on line.
Corresponding to the method for defending against cross-site scripting attack, the embodiment of the invention also provides a device for realizing the method.
FIG. 2 illustrates a block diagram of an apparatus for defending against cross-site scripting attacks, according to one embodiment of the present invention. Referring to fig. 2, the apparatus may include a lexical analysis unit 10, a semantic environment acquisition unit 20, an escape manner acquisition unit 30, and an escape manner addition unit 40, wherein:
the lexical analysis unit 10 is adapted to perform lexical analysis on the web page design template file to obtain User Interface (UI) variables in the template file. The template file can be a Smarty template file or other types of template files, and the UI variables in the template file can be acquired by performing lexical analysis on the template file. There are various algorithms for performing lexical analysis on the template file to obtain the UI variables included therein, and the specific lexical analysis algorithm is not limited in the embodiment of the present invention.
The semantic environment obtaining unit 20 is adapted to obtain a semantic environment in which each UI variable is located in the template file. The template file is an html file embedded with UI variables, and sentences of the same type or predetermined parts of the sentences in the html file can be used as a semantic environment.
The escape way obtaining unit 30 is adapted to obtain an escape way corresponding to the semantic environment in which each UI variable is located.
And the escape mode adding unit 40 is adapted to add the escape mode to the template file where the UI variable is located, so that after the template file to which the escape mode is added is online, the corresponding UI variable is escaped according to the escape mode.
Optionally, the semantic environment comprises one or more of:
an HTML environment in which UI variables are used in HTML page tags or tag attribute values;
a JS environment in which the UI variable is used in the JS code;
a Data environment in which UI variables are inserted into the string using innerHTML in a JS environment;
URL environment in which UI variables are used in the parameters of the template link address URL;
the method comprises the following steps that an event environment is adopted, and UI variables in the environment are used in event function parameters of HTML page tags;
and (4) a callback environment, wherein the UI variable in the environment is a callback parameter transmitted by the browser end.
Optionally, the apparatus further comprises a correspondence relationship establishing unit (not shown) adapted to establish a correspondence relationship between the semantic environment and the escape manner; the escape mode obtaining unit 30 is further adapted to: and acquiring an escape mode corresponding to the semantic environment where each UI variable is located according to the corresponding relation.
In summary, according to the technical solution of the embodiment of the present invention, the UI variable output in the template code is found by analyzing the template code, the semantic environment of the UI variable in the template file is correctly identified, and an escape manner corresponding to the semantic environment is added to the template file, so that the security of UI variable output can be improved by performing escape in combination with the semantic environment in the template layer, thereby effectively defending against cross-site scripting attack. Moreover, this approach is performed fully automatically, without manual intervention.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of an apparatus for protecting against cross-site scripting attacks in accordance with an embodiment of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (8)
1. A method of defending against cross-site scripting attacks, comprising:
performing lexical analysis on the webpage design template file to obtain a User Interface (UI) variable in the template file;
acquiring the semantic environment of each UI variable in the template file;
acquiring an escape mode corresponding to the semantic environment where each UI variable is located;
adding the escape mode to the template file where the UI variable is located so that the template file added with the escape mode is online, and then escaping the corresponding UI variable according to the escape mode;
the template file is an html file embedded with UI variables, and sentences of the same type or preset parts of the sentences in the html file are used as a semantic environment.
2. The method of claim 1, wherein the semantic environment comprises one or more of:
an HTML environment in which UI variables are used in HTML page tags or tag attribute values;
a JS environment in which the UI variable is used in the JS code;
a Data environment in which UI variables are inserted into the string using innerHTML in a JS environment;
URL environment in which UI variables are used in the parameters of the template link address URL;
the method comprises the following steps that an event environment is adopted, and UI variables in the environment are used in event function parameters of HTML page tags;
and (4) a callback environment, wherein the UI variable in the environment is a callback parameter transmitted by the browser end.
3. The method of claim 1 or 2, further comprising: establishing a corresponding relation between a semantic environment and an escape mode;
the acquiring of the escape mode corresponding to the semantic environment where each UI variable is located comprises: and acquiring an escape mode corresponding to the semantic environment where each UI variable is located according to the corresponding relation.
4. The method of claim 1, wherein the template file is a Smarty template file.
5. An apparatus for defending against cross-site scripting attack, comprising:
the lexical analysis unit is suitable for carrying out lexical analysis on the webpage design template file to obtain a user interface UI variable in the template file;
the semantic environment acquisition unit is suitable for acquiring the semantic environment of each UI variable in the template file;
the escape mode acquisition unit is suitable for acquiring an escape mode corresponding to the semantic environment where each UI variable is located;
the escape mode adding unit is suitable for adding the escape mode to the template file where the UI variable is located so that the corresponding UI variable is escaped according to the escape mode after the template file added with the escape mode is online;
the template file is an html file embedded with UI variables, and sentences of the same type or preset parts of the sentences in the html file are used as a semantic environment.
6. The apparatus of claim 5, wherein the semantic environment comprises one or more of:
an HTML environment in which UI variables are used in HTML page tags or tag attribute values;
a JS environment in which the UI variable is used in the JS code;
a Data environment in which UI variables are inserted into the string using innerHTML in a JS environment;
URL environment in which UI variables are used in the parameters of the template link address URL;
the method comprises the following steps that an event environment is adopted, and UI variables in the environment are used in event function parameters of HTML page tags;
and (4) a callback environment, wherein the UI variable in the environment is a callback parameter transmitted by the browser end.
7. The apparatus according to claim 5 or 6, further comprising a correspondence establishing unit adapted to establish a correspondence between a semantic environment and an escape manner;
the escape mode acquiring unit is further adapted to: and acquiring an escape mode corresponding to the semantic environment where each UI variable is located according to the corresponding relation.
8. The apparatus of claim 5, wherein the template file is a Smarty template file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310507467.0A CN103577188B (en) | 2013-10-24 | 2013-10-24 | The method and device of defence cross-site scripting attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310507467.0A CN103577188B (en) | 2013-10-24 | 2013-10-24 | The method and device of defence cross-site scripting attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103577188A CN103577188A (en) | 2014-02-12 |
| CN103577188B true CN103577188B (en) | 2016-11-16 |
Family
ID=50049037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310507467.0A Active CN103577188B (en) | 2013-10-24 | 2013-10-24 | The method and device of defence cross-site scripting attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103577188B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601540B (en) * | 2014-12-05 | 2018-11-16 | 华为技术有限公司 | A kind of cross site scripting XSS attack defence method and Web server |
| CN106845221A (en) * | 2016-11-09 | 2017-06-13 | 哈尔滨安天科技股份有限公司 | A kind of recognition methods of script class file format and system based on grammatical form |
| CN107172029A (en) * | 2017-05-09 | 2017-09-15 | 努比亚技术有限公司 | Cross-site attack solution, mobile terminal and storage medium |
| CN112364353B (en) * | 2020-11-03 | 2021-07-30 | 深圳开源互联网安全技术有限公司 | Xss vulnerability detection method and device based on nodejs express application |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192217A (en) * | 2006-11-28 | 2008-06-04 | 阿里巴巴公司 | Method for canceling harmful code of hypertext marker language |
| CN101217537A (en) * | 2007-12-28 | 2008-07-09 | 董韶瑜 | A network attacking prevention method |
| CN101964025A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
| CN102999723A (en) * | 2012-11-20 | 2013-03-27 | 焦点科技股份有限公司 | Method and device for generating data defense assembly for actively defending XSS (Cross Site Script) attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10375107B2 (en) * | 2010-07-22 | 2019-08-06 | International Business Machines Corporation | Method and apparatus for dynamic content marking to facilitate context-aware output escaping |
-
2013
- 2013-10-24 CN CN201310507467.0A patent/CN103577188B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192217A (en) * | 2006-11-28 | 2008-06-04 | 阿里巴巴公司 | Method for canceling harmful code of hypertext marker language |
| CN101217537A (en) * | 2007-12-28 | 2008-07-09 | 董韶瑜 | A network attacking prevention method |
| CN101964025A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
| CN102999723A (en) * | 2012-11-20 | 2013-03-27 | 焦点科技股份有限公司 | Method and device for generating data defense assembly for actively defending XSS (Cross Site Script) attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103577188A (en) | 2014-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210224389A1 (en) | Proactive browser content analysis | |
| Lekies et al. | 25 million flows later: large-scale detection of DOM-based XSS | |
| US8474048B2 (en) | Website content regulation | |
| US9405910B2 (en) | Automatic library detection | |
| Likarish et al. | Obfuscated malicious javascript detection using classification techniques | |
| US9021593B2 (en) | XSS detection method and device | |
| CN102542201B (en) | Detection method and system for malicious codes in web pages | |
| CN108449316B (en) | Anti-crawler method, server and client | |
| WO2014101783A1 (en) | Method and server for performing cloud detection for malicious information | |
| US8931084B1 (en) | Methods and systems for scripting defense | |
| US20160364497A1 (en) | Method and device for increasing the speed of online browsing and loading of pdf document | |
| CN103577188B (en) | The method and device of defence cross-site scripting attack | |
| CN108830083B (en) | XSS vulnerability detection parameter automatic generation method based on output point context | |
| CN103699600A (en) | Data processing method for web cache and browser | |
| WO2014153457A1 (en) | Merging web page style addresses | |
| Marashdih et al. | Cross site scripting: removing approaches in web application | |
| CN102981846A (en) | Method for treating password input box element and browser for treating the password input box element | |
| CN105100065B (en) | Webshell attack detection methods, device and gateway based on cloud | |
| CN103136251A (en) | Method and device of webpage identification | |
| CN103390129B (en) | Detect the method and apparatus of security of uniform resource locator | |
| CN110147653B (en) | Application program security reinforcing method and device | |
| CN108830082B (en) | XSS vulnerability detection parameter automatic selection method based on output point position | |
| CN105426500B (en) | The extracting method and device of the link of page script dynamic generation | |
| Panja et al. | Handling cross site scripting attacks using cache check to reduce webpage rendering time with elimination of sanitization and filtering in light weight mobile web browser | |
| CN108234620A (en) | Cross-platform data transmission method, apparatus and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220714 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |