search

openresty / xss-nginx-module

Native support for cross-site scripting (XSS) in an nginx
147 stars 42 forks source link

use ngx_xss with ngx_echo #2

Closed wd closed 13 years ago

wd commented 13 years ago

With following nginx configuration location = /test { default_type application/json;

        echo_location /php/test.php; #will return json string like '[['xx', 'yy']]
        #echo_location_async /php/test.php;

        xss_get on;
        xss_callback_arg 'c';
    }

request http://abc.com/test?c=fff will get something like '[['xx','yy']]fff()

If add 'echo "";' before and after echo_location, the result will work as expect.

May be a bug?

agentzh commented 13 years ago

ngx_xss will not work with ngx_echo's subrequest interfaces, due to the underlying limitations imposed by subrequests' "postponed chain" mechanism in the nginx core. The standard ngx_addition module also falls into this category. I'll document this limitation.

You're recommended to use ngx_lua as the content handler to issue subrequests and ngx_xss to do JSONP, because ngx_lua's ngx.location.capture() interface does not utilize the "postponed chain" mechanism. We're taking this approach in production and it works great.

agentzh commented 13 years ago

On Sun, May 29, 2011 at 10:58 PM, wd reply@reply.github.com wrote:

With following nginx configuration        location = /test {            default_type application/json;

           echo_location /php/test.php; #will return json string like '[['xx', 'yy']]            #echo_location_async /php/test.php;

           xss_get on;            xss_callback_arg 'c';        } request http://abc.com/test?c=fff will get something like '[['xx','yy']]fff()

If add 'echo "";' before and after echo_location, the result will work as expect.

May be a bug?

This issue has just been fixed in master HEAD. Would you mind trying it out on your side?

Thanks! -agentzh

agentzh commented 13 years ago

BTW, the fix is included in the ngx_echo module, not this one.