为什么我们不能有一些 AntiXss Literal html 标签
现在我正在学习网络安全、XSS 等。因为 XSS 基本上以客户端代理(网络浏览器)为目标,通过注入一些恶意代码,这些代码由经过身份验证的用户插入时由网络浏览器执行。现在的问题是 为什么我们不能在 html 中添加一个仅显示文字并阻止执行其中任何内容的标签?
类似这样的内容:
<!-- The code below will not be executed and just treated as literal content by a web browser -->
<ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
</ltrl>
所以如果我在 html 中添加类似的内容,那么它就是如网络浏览器中所示
<script type="text/javascript">alert('You have been xssed');</script>
。
Nowadays I am learning about web security, XSS, etc. As XSS basically targets a client-agent (web browser) by injecting some malicious code that is executed by the web browser as it was inserted by an authenticated user. Now the question is Why can't we have a tag in html that just shows literals and prevents the execution of anything inside it?
Something like:
<!-- The code below will not be executed and just treated as literal content by a web browser -->
<ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
</ltrl>
So if I would have something like this in html then it were shown as
<script type="text/javascript">alert('You have been xssed');</script>
in web browser.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
假设攻击者提供的文本内容是:
总标记为,
并且您的防御已被轻微破坏。
Suppose the contents of the text supplied by the attacker was:
the total markup would be
and your defence has been trivially breached.