使用encodeURI显示整个页面
你好,我正在制作一个 chrome 扩展。我将页面作为字符串保存到数据库中,然后将其作为 dataURI 方案打开,例如:
d = 'data:text/html;charset=utf-8'+encodeURI('HTML TEXT')
location.reload(d);
问题在于该页面的名称是 http://X /,我在其中执行上述命令丢失了其头部的 javascript 文件。 我考虑使用 document.write(d),如果 d 附加了一个带有 ... 的字符串>http://X/。
但这给 XSS 带来了一个很大的漏洞问题。此时,当我保存原始页面时,我正在尝试考虑白名单标签...还有其他方法吗?
Hi I am making a chrome extension. Where I save a page to the database as a string and then open it later as a dataURI scheme like:
d = 'data:text/html;charset=utf-8'+encodeURI('HTML TEXT')
location.reload(d);
The problem with this is that the page, say its name is http://X/, in which I executed the above command loses the javascript files in its head.
I considered using the document.write(d), if d has a string appeneded to it with the <head>...</head> of http://X/.
But this opens a big vulnerability problem for XSS. At this point I am trying to think of white listing tags when I save the original page... is there another way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不确定
http://X/是什么意思,但如果想要复制网站以保留其来源(即您提供的代码运行起来就像是从http 下载的一样) ://X/),那么恐怕使用标准 DOM 方法是不可能的(这将是绕过同源安全策略的安全漏洞)。如果您想安全地运行第 3 方源代码,请使用以下方法:
您可以修改源代码并在其中插入
I'm not sure what you mean by
http://X/, but if want copied website to retain its origin (i.e. have code you give run exactly as if it were downloaded fromhttp://X/), then I'm afraid it's not possible with standard DOM methods (it would be a security vulnerability that bypasses same-origin security policy).If you want to run 3rd party sourcecode safely, then use this:
You could modify the source and insert
<base href="http://X/">in there to make relative URLs work properly.