文本区域内的 javascript xss
我有一个跨度,里面有这个文本:
/><textarea>
然后我尝试通过用文本区域替换其中的内容并在其文本中添加内容来编辑跨度的文本。
然后,当我尝试取消编辑并删除文本区域,然后将数据返回到范围时,会出现:
/>以及它附近的文本区域。
这是错误的。
我正在努力避免由于 xss 攻击而发生此类事情。
另外,如果我尝试在跨度内添加此代码:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
测试 xss 是否正常工作...我不会收到任何错误,因为刷新页面时我使用 htmlentities...
所以我使用单击按钮,文本区域会出现此内容里面......这里一切都很好,但是当我取消它时,我可以看到消息返回,因为它在跨度内......XSS警报弹出窗口......
关于如何解决这个问题有什么想法吗?
I have a span where i have this text inside:
/><textarea>
i then try to edit the span's text by replacing whats inside it with a textarea and adding inside its text.
then, when i try to cancel the edit and remove the textarea and then return the data back to the span, this appears:
/> and the textarea near it.
which is wrong.
i am trying to avoid such things due to xss attacks.
also if i try adding inside the span this code:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
to test if xss is working... i will not get any error since i use htmlentities when i refresh the page...
so i use the click button, the textarea appears with this inside... all good here but when i cancel it so i can see the message back as it was inside the span.. the XSS alert popups...
any ideas on how to solve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
只需使用文本节点。 (
document.createTextNode(text here)创建它,然后像任何其他节点一样appendChild它)Just use text nodes. (
document.createTextNode(text here)to create it and thenappendChildit like any other node)我只需替换 html() ,然后用 text() 填充文本的范围。
i just had to replace html() which then filled the span with the text with text().