DomSanitizer 安全上下文解释
我对 XSS 预防的理解是新的,我在一个有角度的应用程序中工作,该应用程序有一些附加了字符串值的 url,并被 AppScan(外部安全应用程序扫描仪)标记为不安全,
所以当我了解 XSS 并反映 XSS 时,我了解到我在将我的输入添加到 url 字符串之前需要对其进行清理,其中我可以通过角度使用 DomSanitizer 方法,在阅读文档后,我仍然想知道我应该使用女巫安全上下文来清理 mi 输入,我也不太清楚它们能够确定在这种情况下使用安全上下文
这是我的一个 url 的示例
var origin=`/services/${response.Id}` //respone.Id is a string
window.open(this.sanitizer.sanitize(SecurityContext.URL,origin), '_blank')
window.open(`/services/${response.Id}`,'_blank')//Marked as insecure use of window.open (Cross-site Scripting Reflected)
这是我应该使用的安全上下文吗? 在其他安全环境中会有什么区别?
SecurityContext.HTML
SecurityContext.RESOURCE_URL
SecurityContext.STYLE
SecurityContext.SCRIPT
Im new in the XSS prevention understanding, Im working in an angular application that has some url with have string values attached and are marked as insecure by AppScan(an external security app scanner)
So as I learned about the XSS and reflected XSS I learned I need to sanitize my inputs before adding them to a url string, in which I can use the method DomSanitizer by angular and after reading the documentation im still wondering witch security context I should use to sanitize mi input also I don't understand them very clearly to be able to determinate with security context use in wichi case
This is a example of one of my url
var origin=`/services/${response.Id}` //respone.Id is a string
window.open(this.sanitizer.sanitize(SecurityContext.URL,origin), '_blank')
window.open(`/services/${response.Id}`,'_blank')//Marked as insecure use of window.open (Cross-site Scripting Reflected)
Is this the security context I should use?
what would be the difference in the other security context?
SecurityContext.HTML
SecurityContext.RESOURCE_URL
SecurityContext.STYLE
SecurityContext.SCRIPT
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论