码迷,mamicode.com
首页 > 其他好文 > 详细

防止xss(跨站脚本攻击)

时间:2018-04-12 00:14:59      阅读:160      评论:0      收藏:0      [点我收藏+]

标签:root   bs4   attrs   roc   mes   lis   turn   []   decode   

采用bs4过滤的方式:

from bs4 import BeautifulSoup


class XSSFilter(object):
    __instance = None

    def __init__(self):
        # XSS白名单
        self.valid_tags = {
            "font": [color, size, face, style],
            b: [],
            div: [],
            "span": [],
        }

    def __new__(cls, *args, **kwargs):
        """
        单例模式
        :param cls:
        :param args:
        :param kwargs:
        :return:
        """
        if not cls.__instance:
            obj = object.__new__(cls, *args, **kwargs)
            cls.__instance = obj
        return cls.__instance

    def process(self, content):
        soup = BeautifulSoup(content, html.parser)
        # 遍历所有HTML标签
        for tag in soup.find_all(recursive=True):
            # 判断标签名是否在白名单中
            if tag.name not in self.valid_tags:
                tag.hidden = True
                if tag.name not in [html, body]:
                    tag.hidden = True
                    tag.clear()
                continue
            # 当前标签的所有属性白名单
            attr_rules = self.valid_tags[tag.name]
            keys = list(tag.attrs.keys())
            for key in keys:
                if key not in attr_rules:
                    del tag[key]

        return soup.decode()


if __name__ == __main__:
    html = """<p class="title">
                        <b>The Dormouses story</b>
                    </p>
                    <p class="story">
                        <div name=root>
                            Once upon a time there were three little sisters; and their names were
                            <a href="http://example.com/lacie" class="sister" id="link2">Lacie</a> and
                            <a href="http://example.com/tillie" class="sister" id="link3">Tilffffffffffffflie</a>;
                            and they lived at the bottom of a well.
                            <script>alert(123)</script>
                        </div>
                    </p>
                    <p class="story">...</p>"""

    obj = XSSFilter()
    v = obj.process(html)
    print(v)

 

防止xss(跨站脚本攻击)

标签:root   bs4   attrs   roc   mes   lis   turn   []   decode   

原文地址:https://www.cnblogs.com/lybpy/p/8799190.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!