通过 JS 更改 TYPE 属性。这是安全问题吗?
我们是否应该能够更改 HTML INPUT 标记的 TYPE 属性?
例如,我们正在这样做:
原始 html:
<input type="text" />
通过 jQuery,我们将其更改为:
<input type="number" />
这似乎在 iOS 的 Safari 中工作正常。我没想到这会成为一个问题。
但现在我们在某些 Android 设备上发现了一些问题,并且在进行一些研究时,我发现提到某些浏览器出于安全原因根本不允许您更改类型属性。
问题:1)这是真的吗? 2)如果是这样,具体原因是什么?我无法弄清楚如果他们允许的话这会导致什么样的安全问题。
更新:
到目前为止,似乎是的,这是真的,但不是由于任何标准实践或规范......只是某些浏览器不喜欢它。即 IE,我猜还有某些版本的 Android 浏览器。
Are we supposed to be able to change an HTML INPUT tag's TYPE attribute?
For instance, we're doing this:
Original html:
<input type="text" />
And via jQuery, we change it to this:
<input type="number" />
This seems to work fine in iOS's Safari. Didn't occur to me it would be an issue.
But now we're seeing some issues on some Android devices and in doing some research, I'm finding mentions that some browsers do not let you change the type attribute at all for security reasons.
The questions: 1) is this true? 2) If so, what, exactly, are the reasons for this? I can't figure out what kind of security issues this would cause if they allowed it.
UPDATE:
So far it seems that yes, it's true, but not due to any standard practice nor spec...just that some browsers don't like it. Namely IE and, I guess, some versions of Android browsers.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
什么安全原因?这都是客户端。无论如何,你永远不应该相信客户端的任何东西。
客户可以在浏览器中和沿途更改任何他们想要的内容。这绝对不存在安全问题。
我怀疑某些浏览器不允许您更改类型属性,因为浏览器必须在内存中创建全新类型的对象,或者类似的其他奇怪现象。这与安全无关。
What security reasons? It's all client-side. You should never trust anything client-side anyway.
Clients can change whatever they want, both in the browser and along the path. There is absolutely no security problem with this.
I suspect some browsers won't let you change the type attribute as the browser would have to create a whole new type of object in memory, or some other oddity like that. It has nothing to do with security.
仅当元素未附加到文档时才能更改输入类型。
因此,要更改输入的类型,请将其从文档中删除,然后重新插入:
这很痛苦,但正如 Brad 所说,这可能与必须创建一个全新的表单元素有关。
Input types can only be changed if the element is not attached to the document.
So, to change an input's type, remove it from the document, then re-insert it after:
It's a pain, but as Brad said it's probably to do with having to create a whole new form element.