是否可以转义单引号以在 html 元素中注入 javascript?
比较 2 个 html 元素
const htmlElement = `<p myAttr=${attackerValue}>Appended element!</p>`;
在这里注入 javascript 很容易,我可以使用 < 的 attackerValue /code>
但是,如果 htmlElement 中有单引号包裹 attackerValue ,是否仍然可以注入 javascript?
const htmlElement = `<p myAttr='${attackerValue}'>Appended element!</p>`;
Codesandbox: https://codesandbox.io/s/young -hill-4nww5k?file=/src/index.js
编辑:找到我的答案,我可以简单地使用输入转义字符串单引号,例如'
Comparing 2 html elements
const htmlElement = `<p myAttr=${attackerValue}>Appended element!</p>`;
It is easy to inject javascript here, I can use an attackerValue of </p><script>alert("injected JS") </script>
However, if the there are single quotes wrapping attackerValue in the htmlElement, is it still possible to inject javascript?
const htmlElement = `<p myAttr='${attackerValue}'>Appended element!</p>`;
Codesandbox: https://codesandbox.io/s/young-hill-4nww5k?file=/src/index.js
Edit: Found my answer, I can simply escape the string single quote by using an input such as '</p><script>alert("injected JS") </script>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于前端代码,是否可能无关紧要。
&lt; script/&gt;标签通过inninhtml插入的标签未执行:浏览器忽略所有脚本标签插入到DOM中的所有脚本标签,以防止注射攻击。
可以通过
document.write():简单的解决方案注入脚本:不要使用
document.write.write()。For front-end code it does not matter if it is possible.
<script/>tags inserted viainnerHTMLare not executed:The browser ignores all script tags inserted into the DOM for exactly this reason - to prevent an injection attack.
It is possible to inject scripts via
document.write():The solution to that is simple: don't use
document.write().