允许以＃（hash）开头的链接是否安全？(Is it safe to allow links that start with # (hash)?)

允许以＃（hash）开头的链接是否安全？(Is it safe to allow links that start with # (hash)?)

我正在构建一个webapp，用户可以动态创建HTML内容。 是否安全（egwrt XSS攻击）允许他们创建以#开头的链接？

我不知道为什么会这样 - 也许我只是偏执狂。 （对于#URN，我的Javascript代码没有做任何特别的事情。）

无论如何，我问的一个原因是我正在使用Google Caja的html-sanitizer来清理HTML。 它过滤URL：s， 但默认过滤器如下所示：

function urlX(url) { if(/^https?:\/\//.test(url)) { return url }}

也就是说，必须指定协议，只允许HTTP和HTTPS，但不允许使用javascript: . 我最近将URL过滤功能更改为：

function urlX(url) { if (/^https?:\/\//.test(url) || /^#/.test(url)) return url; }

（也就是说， #....也是允许的。）

我想也许我应该问你是否认为#...链接是安全的？

（例如，浏览器不会对像'href ='＃javascript：....'这样的链接做任何事情吗？它不会（不管我的浏览器），但也许还有其他一些东西。 ..我不知道）

I'm building a webapp and users can create HTML contents dynamically. Is it safe (e.g. w.r.t. XSS attacks) to allow them to create links that start with #?

I don't know why it wouldn't be -- perhaps I'm just being paranoid. (My Javascript code doesn't do anything particular, for # URLs.)

Anyway one reason I ask is that I'm using Google Caja's html-sanitizer to sanitize HTML. It filters URL:s, however the default filter looks like so:

function urlX(url) { if(/^https?:\/\//.test(url)) { return url }}

That is, the protocol must be specified and only HTTP and HTTPS are allowed but not javascript:. I recently changed the URL filtering function to:

function urlX(url) { if (/^https?:\/\//.test(url) || /^#/.test(url)) return url; }

(That is, #.... is allowed as well.)

I thought that perhaps I should ask if you think #... links are safe?

(For example, the browser won't do anything insane with links like `href='#javascript:....'? Well it does not (not my browser anyway), but perhaps there is some other ...something... that I'm not aware about)

最满意答案

它应该是安全的：URL中的#后面的任何内容都被浏览器解析为片段标识符 。

当然，如果您在页面上有一些JavaScript读取该片段标识符并使​​用它做一些不安全的事情，那么所有的赌注都会被取消。 但请注意，在这种情况下，您需要修复一个更基本的安全问题。

仅仅禁止链接而不是以#开头不会做太多，因为攻击者仍然可以在完整URL中包含恶意片段标识符，甚至可以在从其他位置指向您网站的链接中包含恶意片段标识符。

It should be safe: anything after a # in a URL is parsed as a fragment identifier by browsers.

Of course, if you have some JavaScript on the page that reads that fragment identifier and does something unsafe with it, then all bets are off. But note that, in such a case, you have a more fundamental security problem that you need to fix.

Just disallowing links than begin with # won't do much, since an attacker could still include a malicious fragment identifier in a full URL, or even in a link pointing to your site from somewhere else.