fix(iframe): 屏蔽 Base64 方式 XSS 攻击链接

bhuh12 · Nov 28, 2020 · 665b897 · 665b897
1 parent 92b2f3d
commit 665b897
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 11 deletions.
diff --git a/lib/page/Iframe.vue b/lib/page/Iframe.vue
@@ -23,12 +23,15 @@ export default {
   },
 
   computed: {
-    // 链接安全过滤，避免执行js
+    /**
+     * 链接安全过滤，屏蔽以下方式 XSS 攻击，并返回空白页：
+     * 1. `javascript:` 执行代码：`javascript:alert(1)`
+     * 2. `data:` Base64 链接: `'data:text/html;base64,' + window.btoa('<script>alert(1)<\/script>')`
+     */
     url() {
       let src = decodeURIComponent(this.src)
 
-      // XSS 攻击链接返回空白页
-      if (/^javascript:/.test(src)) {
+      if (/^(javascript|data):/i.test(src)) {
         return 'about:blank'
       }
 

diff --git a/src/views/IframeOperate.vue b/src/views/IframeOperate.vue
@@ -20,15 +20,17 @@
       <a
         class="demo-btn"
         title="XSS 跨站链接的 iframe 将展示空白页面"
-        @click="
-          $tabs.openIframe(
-            'javascript:alert(window.parent.document.body.innerHTML)',
-            'XSS 跨站',
-            icon
-          )
-        "
+        @click="$tabs.openIframe(xss.js, 'XSS - JS', icon)"
       >
-        XSS 跨站
+        XSS - JS
+      </a>
+
+      <a
+        class="demo-btn"
+        title="XSS 跨站链接的 iframe 将展示空白页面"
+        @click="$tabs.openIframe(xss.base64, 'XSS - Base64', icon)"
+      >
+        XSS - Base64
       </a>
     </p>
 
@@ -75,13 +77,22 @@ export default {
   data() {
     return {
       icon: 'rt-icon-web',
+
       site: {
         src: 'https://cn.vuejs.org',
         title: 'Vue.js'
       },
+
       iframe: {
         src: 'https://router.vuejs.org/zh/',
         title: 'Vue Router'
+      },
+
+      xss: {
+        js: 'javascript:alert(1)',
+        base64:
+          'data:text/html;base64,' +
+          window.btoa('<script>alert(1)</s' + 'cript>')
       }
     }
   }