防止恶意用户执行JavaScript [英] Prevent malicious user from executing JavaScript

问题描述

在我的JSP中，我有一个像 fnGetTicketDetails 这样的函数：

In my JSP I have a function like fnGetTicketDetails:

function fnGetTicketDetails(record){
    $("#TicketNumber").val(record);
    $("#TicketDetailsForm").submit();
    return false;
}

我有这样的表格：

<form name="TicketDetailsForm" id="TicketDetailsForm" method="post" action='${properties["SUBMIT_TICKET_DETAIL"]}'
    target="_blank" style="display: none;">

我有输入隐藏参数

<input type="hidden" name="record" id="TicketNumber" /> 

它在服务器上工作正常。问题是：如果我使用

It is working fine in the server. Issue was: If I use

javascript:eval("fnGetTicketDetails(83769551); eval();");

浏览器中的

然后我也收到了无效的详细信息。如何从浏览器中阻止这些类型的请求。因为黑客可以轻松获取详细信息，如果他知道票号。

in the browser then also I am getting the details, which is invalid. How to block these type of request from browser. Because a hacker can easily get the details if he knows the ticket number.

推荐答案

你不能阻止用户这样做。

You can't prevent the user from doing this.

您必须处理用户的所有输入，包括 您的JavaScript发送的所有请求 as untrusted。

You must treat all input from the user including all requests sent by your JavaScript as untrusted.

这意味着服务器 必须验证来自用户的请求是否合法（即它必须检查当前用户是否有权读取指定的详细信息。）

That means that the server must verify that the request from the user is legitimate (i.e. it must check if the current user has permission to read the specified detail).

依靠隐藏字段和JavaScript来保证数据安全是一种非常简单的方法你的数据被盗了。

Relying on hidden fields and JavaScript to keep your data secure is a very easy way of getting your data stolen.

这篇关于防止恶意用户执行JavaScript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！