Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
hatena-diary-blog-xss
Search
Yasuhiro Onishi
May 14, 2013
Technology
5
1.1k
hatena-diary-blog-xss
はてなダイアリーやブログのXSS対策の事例を紹介します
Yasuhiro Onishi
May 14, 2013
Tweet
Share
More Decks by Yasuhiro Onishi
See All by Yasuhiro Onishi
アニメから得た学びを発表会 in 関西 はてな スポンサーLT
onishi
1
30
大吉祥寺.pm 基調講演
onishi
3
7.8k
YAPC::Kyoto 2023 Keynote
onishi
3
10k
2016 Devsumi Kansai
onishi
3
1.5k
Hatena-Camp
onishi
2
4.4k
Hatena Blog for Engineer
onishi
2
3.1k
Hatena Blog Development Flow
onishi
34
38k
wget.pl
onishi
3
1.4k
Redmine::ChanでIRCからプロジェクト管理
onishi
5
5.4k
Other Decks in Technology
See All in Technology
単一Gitリポジトリから独立しました
lycorptech_jp
PRO
0
150
Autocon3 - Building Trustworthy Network Automation, From Principles to Practice
dgarros
2
100
OTel meets Wasm: プラグイン機構としてのWebAssemblyから見る次世代のObservability
lycorptech_jp
PRO
1
320
從開發到架構設計的可觀測性實踐
philipz
0
140
Swiftは最高だよの話
yuukiw00w
2
290
プラットフォームとしての Datadog / Datadog as Platforms
aoto
PRO
1
340
LT:組込み屋さんのオシロが壊れた!
windy_pon
0
530
セキュリティSaaS企業が実践するCursor運用ルールと知見 / How a Security SaaS Company Runs Cursor: Rules & Insights
tetsuzawa
0
700
アプリケーションの中身が見える!Mackerel APMの全貌と展望 / Mackerel APMリリースパーティ
mackerelio
0
450
TypeScript と歩む OpenAPI の discriminator / OpenAPI discriminator with TypeScript
kaminashi
1
150
toittaにOpenTelemetryを導入した話 / Mackerel APM リリースパーティ
cohalz
1
490
Devin&Cursor、それぞれの「本質」から導く最適ユースケース戦略
empitsu
8
2.6k
Featured
See All Featured
Designing Experiences People Love
moore
142
24k
What's in a price? How to price your products and services
michaelherold
245
12k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
6
660
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Language of Interfaces
destraynor
158
25k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
228
22k
Six Lessons from altMBA
skipperchong
28
3.8k
Fireside Chat
paigeccino
37
3.5k
Product Roadmaps are Hard
iamctodd
PRO
53
11k
Stop Working from a Prison Cell
hatefulcrawdad
269
20k
Designing for humans not robots
tammielis
253
25k
Transcript
μΠΞϦʔͱϒϩάͱ 944 גࣜձࣾͯͳ JEPOJTIJ !4IJCVZB944JO0TBLB
ࣗݾհ wJEPOJTIJେ߁༟ wגࣜձࣾͯͳ wνʔϑΤϯδχΞ wͯͳϒϩάσΟϨΫλʔ
ͯͳͱݴ͑944
ͯͳφ
ͯͳφ
ͯͳͱ944 wਓྗݕࡧͯͳRIBUFOBOFKQ wͯͳΞϯςφBIBUFOBOFKQ wͯͳμΠΞϦʔEIBUFOBOFKQ wͯͳϒοΫϚʔΫCIBUFOBOFKQ
ͯͳͱ944 wಉҰυϝΠϯɾಉҰΫοΩʔʹΑΔ Ϣʔβʔೝূ wΫοΩʔΛୣΘΕͨΒηογϣϯϋ ΠδϟοΫ͞ΕಘΔ
ͯͳμΠΞϦʔ wϦϦʔεͷϒϩάαʔϏε wཧը໘ͱϒϩάը໘͕ಉҰυϝΠϯ wϒϩάαʔϏεˠϢʔβʔίϯςϯπ
ͦͷฤू
ͦͷฤू
Ϣʔβʔίϯςϯπ w͖ͳ͜ͱΛॻ͖͍ͨ w͖ͳσβΠϯʹ͍ͨ͠ w͖ͳϒϩάύʔπΛ͍͍ͨ
Ϣʔβʔརศੑͱ ҆શੑͷཱ྆
Ϣʔβʔίϯςϯπ w͖ͳ͜ͱΛॻ͖͍ͨˠ)5.-944 w͖ͳσβΠϯʹ͍ͨ͠ˠ$44944 w͖ͳϒϩάύʔπΛ͍͍ͨˠººº
)5.-ͷ944ରࡦ wར༻Մೳཁૉ wར༻Մೳଐੑ wελΠϧཁૉ wΠϯϥΠϯ$44
ҙ͖͢ཁૉ wTDSJQU wPCKFDU wFNCFE wJGSBNF wTUZMF w
ҙ͖͢ଐੑ wΠϕϯτϋϯυϥ PODMJDL PO wKBWBTDSJQUεΩʔϚ͕ॻ͚Δཁૉ wISFG TSD DJUF wTUZMF wޙड़
ͯͳμΠΞϦʔͷ944ରࡦ wར༻ՄೳཁૉˠϗϫΠτϦετܗࣜ wར༻ՄೳଐੑˠϗϫΠτϦετܗࣜ wಛఆͷཁૉɾଐੑˠઐ༻ͷରࡦ wεΩʔϜରࡦ wελΠϧରࡦ
$44ͷ944ରࡦ wFYQSFTTJPOରࡦ w!JNQPSUରࡦ
FYQSFTTJPO color: expression( error ? 'red' : 'blue');
FYQSFTTJPOίϝϯτ expr/* ίϝϯτ */ession
FYQSFTTJPOίʔυϙΠϯτ \0065xpression
FYQSFTTJPOશ֯ ̴̴̸͇̿́͂͂̾̽
FYQSFTTJPOจࣈ <p style="{ color: expression('blue') }">
FYQSFTTJPOҟମ expressio\207f expressioⁿ ˣ
!JNQPSU w!JNQPSUઌΛల։͢Δ w!JNQPS!JNQP!JNQ!JN!J
ϒϩάύʔπͷ944ରࡦ wϗϫΠτϦετܗࣜ wIUUQTNFUBDQBOPSHSFMFBTF )5.-8JEHFU7BMJEBUPS
ϒϩάύʔπͷ944ରࡦ wϒϩάόʔπࣗʹ੬ऑੑ͕͋Δ wυϝΠϯࣦޮˠѱҙΛ࣋ͬͨ+4࣮ߦ
944ରࡦৄ͘͠ wϔϧϓͯͳμΠΞϦʔ944ରࡦ wIUUQIBUFOBEJBSZHIBUFOBOFKQ LFZXPSEͯͳμΠΞϦʔ944ରࡦ
ͯͳͱݴ͑944
None
ͯͳϒϩά wϦϦʔε wIUUQIBUFOBCMPHDPN w IBUFOBOFKQ͡Όͳ͍ॳͷຊαʔϏε w+4ϑϦʔ
ϔομͷJGSBNFԽ iframe blog.hatena.ne.jp onishi.hatenablog.com
ͦͷฤू
ͦͷฤू
ΫϩευϝΠϯ௨৴ wXJOEPXQPTU.FTTBHF wΟϯυ ϑϨʔϜ ؒͰϝοηʔδͷ ૹड৴Λߦ͏ͨΊͷΈ // message Πϕϯτࢹ
window.addEventListener(“message”, function() {...}, false); // message ૹ৴ window.postMessage(data, “targetOrigin”);
ΫϩευϝΠϯ௨৴ wQPTU.FTTBHFඇରԠϒϥβ ݹ͍*& wMPDBUJPOIBTIʹΑΔυϝΠϯؒ௨৴ wϑϨʔϜͷMPDBUJPOIBTIॻ͖͑ wϑϨʔϜMPDBUJPOIBTIͷมԽ Λࢹ w5$1෩σʔλ௨৴ w63-੍ݶ
*&ͰόΠτ ʹΑΔύ έοτׂ
ΫϩευϝΠϯ௨৴ͷར༻ wͦͷฤू wӾཡऀͷฤूݖݶ֬ೝ wͯͳελʔ wίϝϯτ w௨ wϑΟʔυόοΫϑΥʔϜ
αʔυύʔςΟ$PPLJF wJGSBNFTDSJQUཁૉͰຒΊࠐ·Εͨ ֎෦Ϧιʔεʹ$PPLJFΛૹ৴͢Δ͔ w'JSFGPY͔ΒσϑΥϧτ0'' wJGSBNFʹΑΔΫϩευϝΠϯ௨৴͕ ͑ͳ͍
αʔυύʔςΟ$PPLJF0''ରࡦ wCMPHIBUFOBOFKQυϝΠϯͷ"1*Ξ ΫηεDPPLJFૹ৴͋Δ͔νΣοΫ wJGSBNF͔ΒXJOEPXPQFOʹ͢Δ wϢʔβʔใ͕औΕͳ͍ͷͰସ ใΛදࣔ͢Δ
JGSBNF
JGSBNF
XJOEPXPQFO
ସϔομ
ΞΫηείϯτϩʔϧ wϒϩάͷϓϥΠϕʔτ wೝূͷΈͷෳࡶԽ w֎෦ͷιʔγϟϧάϥϑೝূ wηογϣϯϋΠδϟοΫࢭ wϒϩάຖʹผυϝΠϯ wผϢʔβʔʹ࿙ΕͯͳΔ͘ͳ͍ wηογϣϯຖʹ%#ΞΫηε͠ͳ͍
ΞΫηείϯτϩʔϧ ॳճΞΫηε࣌ͷΈೝূػ͕ؔ %#ΛҾ͘ UPLFOͰϒϩάʹϦμΠϨΫτ ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ ΞΫηε࣌ʹDPPLJFͷଥੑ
ݕূͷΈ ೝূػؔ .hatena.ne.jp ϒϩά anydomain Ϣʔβʔ
ΞΫηείϯτϩʔϧ ॳճΞΫηε࣌ͷΈೝূػ͕ؔ %#ΛҾ͘ UPLFOͰϒϩάʹϦμΠϨΫτ ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ ΞΫηε࣌ʹDPPLJFͷଥੑ
ݕূͷΈ ೝূػؔ .hatena.ne.jp ϒϩά anydomain Ϣʔβʔ UPLFO
ΞΫηείϯτϩʔϧ ॳճΞΫηε࣌ͷΈೝূػ͕ؔ %#ΛҾ͘ UPLFOͰϒϩάʹϦμΠϨΫτ ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ ΞΫηε࣌ʹDPPLJFͷଥੑ
ݕূͷΈ ೝূػؔ .hatena.ne.jp ϒϩά anydomain Ϣʔβʔ DPPLJF
ΞΫηείϯτϩʔϧ ॳճΞΫηε࣌ͷΈೝূػ͕ؔ %#ΛҾ͘ UPLFOͰϒϩάʹϦμΠϨΫτ ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ ΞΫηε࣌ʹDPPLJFͷଥੑ
ݕূͷΈ ೝূػؔ .hatena.ne.jp ϒϩά anydomain Ϣʔβʔ
ΫϦοΫδϟοΩϯάରࡦ w9'SBNF0QUJPOT%&/: wϑϨʔϜ༻ͷཁૉ໌ࣔతʹڐՄ wͦͷ߹ɺ*/165ཁૉͷมߋΛࢹ
ΫϦοΫδϟοΩϯάରࡦ
·ͱΊ wͯͳμΠΞϦʔ wIBUFOBOFKQυϝΠϯͳͷͰపఈ͠ ͨϗϫΠτϦετରࡦ wͯͳϒϩά wಠࣗυϝΠϯ ΫϩευϝΠϯ௨৴
ਓࡐืू wגࣜձࣾͯͳͰΤϯδχΞͦͷଞ શ৬छΛืू͍ͯ͠·͢ wҰॹʹϒϩάΛ࡞Γ·͠ΐ͏ʂ www.hatena.ne.jp/company/staff
αϚʔΠϯλʔϯ w िؒ w8FCαʔϏε։ൃίʔε໊ఔ wେنγεςϜݚڀίʔε໊ఔ wۙʑืू։࢝͠·͢ʂʂ developer.hatenastaff.com