tokuhirom's Blog

XSS フィルターを解除するには X-XSS-Protection: 0

体系的に学ぶ 安全なWebアプリケーションの作り方 脆弱性が生まれる原理と対策の実践

なんかプレビュー画面みたいなやつで、xss フィルターが反応してしまうので、
こまったものですね!

そういう場合には X-XSS-Protection: 0 をレスポンスヘッダにつけると、XSS フィルタを無効にできるのでいいです。

use strict;
use warnings;
use utf8;
use File::Spec;
use File::Basename;
use lib File::Spec->catdir(dirname(__FILE__), 'extlib', 'lib', 'perl5');
use lib File::Spec->catdir(dirname(__FILE__), 'lib');
use Amon2::Lite;

our $VERSION = '0.01';

# put your configuration here
sub load_config {
    +{ }
}

any '/' => sub {
    my $c = shift;
    return $c->render('index.tt');
};

post '/d' => sub {
    my $c = shift;
    my $res = $c->render('d.tt', {
        src => scalar($c->req->param('src'))
    });
    if ($c->req->param('noxss')) {
        $res->header('X-XSS-Protection' => '0');
    }
    return $res;
};

__PACKAGE__->to_app(handle_static => 1);

__DATA__

@@ index.tt
<!doctype html>
<html>
<head>
    <met charst="utf-8">
    <title>XSS</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js"></script>
    <link rel="stylesheet" href="http://twitter.github.com/bootstrap/1.4.0/bootstrap.min.css">
    <link rel="stylesheet" href="[% uri_for('/static/css/main.css') %]">
</head>
<body>
    <div class="container">
        <header><h1>XSS</h1></header>
        <form method="post" action="/d">
            <textarea name="src"><script>alert("It workss!");</script></textarea><br />
            no xss: <input type="checkbox" name="noxss" /><br />
            <input type="submit" value="post" class="btn" />
        </form>
        <section class="row">
            This is a XSS
        </section>
        <footer>Powered by <a href="http://amon.64p.org/">Amon2::Lite</a></footer>
    </div>
</body>
</html>

@@ /static/css/main.css
footer {
    text-align: right;
}

@@ d.tt
<!doctype html>
<html>
<head>
    <met charst="utf-8">
    <title>XSS</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js"></script>
    <script type="text/javascript" src="[% uri_for('/static/js/main.js') %]"></script>
    <link rel="stylesheet" href="http://twitter.github.com/bootstrap/1.4.0/bootstrap.min.css">
    <link rel="stylesheet" href="[% uri_for('/static/css/main.css') %]">
</head>
<body>
    <div class="container">
        SRC: [% raw(src) %]
    </div>
</body>
</html>

@@ /static/js/main.js

@@ /static/css/main.css
footer {
    text-align: right;
}

Created: 2012-07-06T08:25:29
Updated: 2012-07-06T08:25:29