通过 Beautiful Soup 4 预防 XSS 攻击

通过beautifulsoup4预防XSS攻击

借助beautifulsoup4将用户输入内容进行过滤
实际使用时需要采用单例模式
步骤:

  1. 实例化对象,对页面进行解析
  2. 查找目标标签
  3. 将非法标签进行清空
  4. 获取处理后字符串
直接操作标签

示例:

content = '''
<div id="i1">
	<img src="" id="img">
</div>
<div id="i2"></div>
<script>alert('Hi!')</script>
'''
soup = BeautifulSoup(content, 'html.parser')    # <class 'bs4.BeautifulSoup'>
script_tag = soup.find('script')   # <class 'bs4.element.Tag'>
script_tag.clear()
script_tag.hidden = True
content = soup.decode()  # 将对象转换为一个字符串
print(content)

输出结果:

<div id="i1">
	<img src="" id="img">
</div>
<div id="i2"></div>
操作属性

通过.attrs获取属性字典,在字典中进行操作
示例:

content = '''
<div id="i1">
	<img src="" id="img">
</div>
<div id="i2"></div>
<script>alert('Hi!')</script>
'''
soup = BeautifulSoup(content, 'html.parser')
img_tag = soup.find('img')
del img_tag.attrs['id']
content = soup.decode()
print(content)

输出结果:

<div id="i1">
	<img src="">
</div>
<div id="i2"></div>
<script>alert('Hi!')</script>
设置白名单

示例:

from bs4 import BeautifulSoup

content = '''
<div id="i1">
<img src="" id="img">
</div>
<div id="i2" class="c1"></div>
<script>alert('Hi!')</script>
'''
tag_p = {
    # 允许使用的标签和允许的属性
    'div': ['class', ],
    'img': ['src', ],
}
soup = BeautifulSoup(content, 'html.parser')    # <class 'bs4.BeautifulSoup'>
# 开始过滤
for tag in soup.find_all():
    if tag.name in tag_p:
        pass
    else:	# 不在白名单中的标签进行清除
        tag.hidden = True
        tag.clear()
        continue

    for k in list(tag.attrs.keys()):	# 注意要先将dict.keys转换成列表
        if k in tag_p[tag.name]:
            pass
        else:
            del tag.attrs[k]

content = soup.decode()
print(content)

输出结果:

<div>
<img src=""/>
</div>
<div class="c1"></div>
方法

findChildren = findAll = find_all
findChild = find = find_all[0]
tag.clear 将选定标签中内容清空(标签还在)
tag.hidden = True 将标签去掉(内容还在)
tag.attrs 获取一个字典,key: value

posted on 2019-06-08 21:47  doubtful  阅读(233)  评论(0编辑  收藏  举报

导航