Javascript/jQuery XSS 可能从查询字符串中读取
我的 JavaScript 从查询字符串中读取数据,并使用 jQuery.val() 将该数据放入文本框中。
这工作正常,但我想知道这是否可以免受 XSS 攻击?
假设查询字符串看起来像...
site.com?q="javascript:alert(document.cookie)
这实际上可以做到:
jQuery.val('"javascript:alert(document .cookie)')
根据我在 IE8 / firefox 中的测试,这设置了所看到的输入值,并且不执行实际的注入。
如果我首先在字符串上运行此函数:
function htmlEncode(str) {
return str.replace(/</g, '<').replace(/>/g, '>').replace(/'/g, ''').replace(/"/g, '"');
}
那么您实际上会在输入值中看到 "javascript:alert(document.cookie) ,这不是我想要的。
使用 jQuery 1.5.2 我想我的问题是 jQuery.val() 是否为您处理 HTML 实体,因此被认为是安全的?
My javascript reads data from a query string and puts that data into a text box using jQuery.val().
This works fine but I am wondering is this safe from XSS attacks?
Say the query string looked like...
site.com?q="javascript:alert(document.cookie)
Which would effectively do:
jQuery.val('"javascript:alert(document.cookie)')
From what I have tested in IE8 / firefox this sets the input value as seen and doesn't do the actual injection.
If I run this function over the string first:
function htmlEncode(str) {
return str.replace(/</g, '<').replace(/>/g, '>').replace(/'/g, ''').replace(/"/g, '"');
}
Then you literally see "javascript:alert(document.cookie) in the input value which is not what I want.
Using jQuery 1.5.2 I guess my question is does jQuery.val() handle the HTML entities for you and is therefore considered safe?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
假设如下:
val函数的 jQuery 代码只是执行此操作:其中
this是对 DOM 中表示的Text对象的引用id 为“SomeTextbox”的文本框。字符串“SomeTextbox 的新值” 存储为该 DOM 对象的value属性。它不会以任何方式被转化或净化。但它也不会被 JavaScript 引擎解析/解释(例如,与InnerHTML一样)。因此,无论您对val的参数是什么,它都不会“做”任何事情。它只是更改 DOM 中对象的字符串属性的值。所以,是的,它会很安全。编辑:
以下是一些可能对您有帮助的附加信息。
一般来说,将某些内容放入文本框中,无论它看起来多么恶意,也无论它如何到达那里,只要它保留在文本框中,就是“安全”的。但接下来的发展方向非常重要。
如果文本框的内容随后呈现在已解析的 HTML 流中,则它不再安全。一个常见的场景是将文本框的内容存储在数据库中,然后检索它并将其呈现在浏览器解析为 HTML 的上下文中。如果重新显示发生在不同用户的上下文中,则恶意用户有机会在文本框中输入数据,以便在将来某个时间访问其他用户的私人信息。
Given the following:
the jQuery code for the
valfunction simply does this:where
thisis a reference to theTextobject in the DOM that represents the textbox with id "SomeTextbox". The string"new value for SomeTextbox"is stored as thevalueproperty of that DOM object. It does not get transformed or sanitized in any way. But it doesn't get parsed/interpreted by the JavaScript engine either (e.g. as it would withInnerHTML). So regardless of what your argument tovalis, it isn't going to "do" anything. It just changes the value of a string property of an object in the DOM. So, yes, it would be safe.EDIT:
Here is some additional information that you may find helpful.
In general, putting something into a text box, no matter how malicious it may appear, and regardless of how it gets there is "safe" as long as it stays in the text box. But it matters a lot where it goes from there.
If the content of the textbox is subsequently rendered in a stream of parsed HTML, then it is no longer safe. A common scenario is to store the content of a textbox in a database, then retrieve it later and render it in a context where the browser parses is as HTML. If the re-display occurs in the context of a different user, it creates an opportunity for a malicious user to enter data into the textbox in order to gain access to another users private information at some future time.