如何保护应用程序对抗第三方js库中的XSS向量？ [英] how to secure app against XSS vectors present in 3rd party js libs?

问题描述

我在一个Android移动应用程序中使用各种第三方库，如cordova.js，jquery，jquery mobile，mobilizer等。通过不安全使用eval，settimeout，发现这些库有各种XSS载体， inner / outerhtml等等。

I am using various 3rd party libs like cordova.js, jquery, jquery mobile, mobilizer and so on, in a an android mobile app.. These libs are found to have various XSS vectors through insecure use of eval, settimeout, inner/outerhtml and so on.

我有什么方法可以覆盖/修复这些安全漏洞，并且仍然可以安全地在我的应用程序中使用这些库？

Is there any way by which I could cover/fix these security holes and still use these libs in my app, securely?

推荐答案

这些漏洞应该报告给供应商，你应该使用他们的补丁。

These vulnerabilities should be reported to the vendor, and you should use their patch.

利用基于DOM的XSS 和android是可能的，但是攻击媒介更受限制，因为通常攻击者无法使用简单的GET或POST请求利用这些漏洞中的一个。

Exploiting DOM Based XSS and android is possible, however the attack vectors are more limited because usually an attacker cannot exploit one of these vulnerabilities using a simple GET or POST request.

这篇关于如何保护应用程序对抗第三方js库中的XSS向量？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！