Implement XSS protection in Golang

huangapple go评论100阅读模式
英文:

Implement XSS protection in Golang

问题

你好!根据你的描述,你正在使用Golang构建一个API Rest,并且有一个包含很多字段的结构体(超过100个字段)。你使用gorilla/schema将来自客户端的值赋给结构体,这个方法效果很好。

现在,你想要防止用户在任何字符串字段中插入JavaScript代码。在结构体中,你定义了布尔值、字符串、字节数组和整数值。所以,你现在想知道最佳的验证方法是什么。

我认为你可以遍历结构体,只对字符串字段进行处理,类似这样:

遍历结构体 {
     如果字段是字符串类型 {
         myProperty := JSEscapeString(myProperty)
     }
}

这样可以吗?如果可以的话,如何遍历结构体但只处理字符串字段呢?

英文:

I am using Golang to construct an API Rest. I have a struct with a lot of fields (more than 100), so I assign the values that comes from the client side to the struct using gorilla/schema that's working pretty nice.

Now, I want to avoid the users to insert Javascript code in any of the strings fields, in the struct I have defined bool, strings, byte[] and int values. So, now I am wondering what is the best way to validate that.

I am thinking in interate over the struct only in the strings fields and make something like:

Loop over the struct {
     myProperty := JSEscapeString(myProperty)
}

Is it ok? in that case, how can I loop over the struct but only the string fields?

答案1

得分: 4

你可以使用反射来遍历结构体的字段并转义字符串字段。例如:

myStruct := struct {
    IntField    int
    StringField string
}{
    IntField:    42,
    StringField: "<script>alert('foo');</script>",
}

value := reflect.ValueOf(&myStruct).Elem()

// 遍历结构体
for i := 0; i < value.NumField(); i++ {
    field := value.Field(i)

    // 检查字段是否为字符串类型
    if field.Type() != reflect.TypeOf("") {
        continue
    }

    str := field.Interface().(string)
    // 将字段设置为转义后的字符串
    field.SetString(html.EscapeString(str))
}

fmt.Printf("%#v", myStruct)
// 输出: struct { IntField int; StringField string }{IntField:42, StringField:"&lt;script&gt;alert(&#39;foo&#39;);&lt;/script&gt;"}

请注意,html 包中有一个 EscapeString 函数,无需自己实现。

英文:

You can use reflection to loop over the fields and escape the string fields.
For example:

myStruct := struct {
		IntField int
		StringField string
	} {
		IntField: 42,
		StringField: &quot;&lt;script&gt;alert(&#39;foo&#39;);&lt;/script&gt;&quot;,
	}
	
	value := reflect.ValueOf(&amp;myStruct).Elem()
	
    // loop over the struct
	for i := 0; i &lt; value.NumField(); i++ {
		field := value.Field(i)

        // check if the field is a string
		if field.Type() != reflect.TypeOf(&quot;&quot;) {
			continue
		}
		
		str := field.Interface().(string)
        // set field to escaped version of the string
		field.SetString(html.EscapeString(str))
	}
	
	fmt.Printf(&quot;%#v&quot;, myStruct)
    // prints: struct { IntField int; StringField string }{IntField:42, StringField:&quot;&amp;lt;script&amp;gt;alert(&amp;#39;foo&amp;#39;);&amp;lt;/script&amp;gt;&quot;}

Note that there's an EscapeString function in the html package. No need to implement your own.

huangapple
  • 本文由 发表于 2017年5月26日 21:29:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/44202894.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定