Javascript安全风险? [英] Javascript security risks?
问题描述
使用Javascript有什么风险以及如何避免它们?
What are the risks of using Javascript and how to avoid them?
推荐答案
最常见的错误之一是HTML注入,允许第三方将JavaScript注入您的安全上下文。这允许攻击者控制用户在您网站上的操作,完全破坏帐户安全性。
One of the most common errors is HTML injection, allowing third parties to inject JavaScript into your security context. That allows an attacker to control what a user does on your site, completely breaking account security.
虽然尝试让网络作者记住HTML的进展缓慢但进展缓慢 - 他们输出到服务器端网页的字符串(例如PHP中的 htmlspecialchars
),新一代的webapps正在使用相同的哑字串连接黑客来创建内容客户端使用JavaScript:
Whilst there has been some slow progress trying to get web authors to remember to HTML-encode strings they output into web pages at the server side (eg htmlspecialchars
in PHP), a new generation of webapps are using the same dumb string-concatenation hacks to create content at the client-side using JavaScript:
somediv.innerHTML= '<p>Hello, '+name+'</p>';
经常使用jQuery:
often using jQuery:
$('table').append('<tr title="'+row.title+'"><td>'+row.description+'</td></tr>');
这与服务器端HTML注入一样脆弱,作者真的需要停止以这种方式构建内容。您可以在客户端对文本内容进行HTML编码,但由于JS没有内置的HTML编码器,您必须自己完成:
This is just as vulnerable as server-side HTML injection and authors really need to stop building content this way. You can HTML-encode text content at the client side, but since JS doesn't have a built-in HTML encoder you'd have to do it yourself:
function encodeHTML(s) {
return s.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"');
}
somediv.innerHTML= '<p>Hello, '+encodeHTML(name)+'</p>';
然而它通常很多最好使用可用的DOM方法和属性来避免转义:
var p= document.createElement('p');
p.appendChild(document.createTextNode('Hello, '+name);
并使用jQuery使用 attr()
, text()
和创建快捷方式:
and with jQuery use attr()
, text()
and the creation shortcuts:
$('table').append(
$('<tr>', {title: row.title}).append(
$('<td>', {text: row.description})
)
);
这篇关于Javascript安全风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!