分为两种情况
postmessage引起的:
这种安全漏洞一般是因为在使用postmessage发送接收消息的时候没有判断origin引起的,当然如果判断了origin还爆出这种问题,可以尝试对消息体进行转码进行规避。
首先可以进行oring的判断,有些情况不用编码就可以符合安全漏洞的扫描规则。
ajax数据请求引起的
可以尝试对消息体进行转码进行规避。
编码方法
function htmlEncodeOut (str){var s = "";if (str.length == 0) return "";//s = str.replace(/ /g, " ");//s = str.replace(/&/g, "&");s = str.replace(/</g, "<");s=s.replace(/%3C/g,"<");s=s.replace(/%3c/g,"<");s = s.replace(/>/g, ">");s = s.replace(/%3E/g, ">");s = s.replace(/%3e/g, ">");s = s.replace(/%26lt%3B/g, "<");s = s.replace(/%26lt%3b/g, "<");s = s.replace(/%26gt%3B/g, ">");s = s.replace(/%26gt%3b/g, ">");//s = s.replace(/\'/g, "'");//s = s.replace(/\"/g, """);//s = s.replace(/\n/g, "<br>");return s;
};
function dataEncodeOut(data){var rel=data;var source="";if(typeof(rel) == "object"){source=htmlEncodeOut(JSON.stringify(rel));source=JSON.parse(source);rel=source;}else if(typeof(rel) == "string"){source=htmlEncodeOut(rel);rel=source;}return rel;
};解码方法
function htmlEncode (str){var s = "";if (str.length == 0) return "";//s = str.replace(/ /g, " ");//s = str.replace(/&/g, "&");s = str.replace(/</g, "%26lt%3B");s=s.replace(/%3C/g,"%26lt%3B");s=s.replace(/%3c/g,"%26lt%3B");s = s.replace(/>/g, "%26gt%3B");s = s.replace(/%3E/g, "%26gt%3B");s = s.replace(/%3e/g, "%26gt%3B");//s = s.replace(/\'/g, "'");//s = s.replace(/\"/g, """);//s = s.replace(/\n/g, "<br>");return s;
};
function dataEncode(data){var rel=data;var source="";if(typeof(rel) == "object"){source=htmlEncode(JSON.stringify(rel));source=JSON.parse(source);rel=source;}else if(typeof(rel) == "string"){source=htmlEncode(rel);rel=source;}return rel;
};
postmessage接收消息
window.addEventListener('message', function (event) {if(event.origin === 'www.baidu.com'){var res = dataEncodeOut(event.data)console.log(res)}
}
ajax消息请求
$.ajax({type: 'POST',url: url + '/login',contentType: 'application/json',data: JSON.stringify(dataJson),success: function(data) {data = dataEncodeOut(data);},error: function(e) {e = dataEncodeOut(e);}
