setAttribute 是否会自动转义 HTML 字符? [英] Does setAttribute automatically escape HTML characters?
问题描述
我正在调查我们系统中的一个错误,其中链接的标题属性被设置为类似于 click if value >400 但实际显示的工具提示是 click if value >400.此标题值由用户输入定义,因此原始工程师对文本进行了转义,因此不会导致 XSS 漏洞.<代码>点击如果值>400 变成 click if value >400.
I'm investigating a bug in our system where a link's title attribute is being set to something akin to click if value > 400 but the actual tooltip being displayed is click if value > 400. This title value is defined by user input and so the original engineer escaped the text so it wouldn't cause a XSS vulnerability. click if value > 400 becomes click if value > 400.
这个额外的转义步骤似乎导致 HTML 特殊字符被转义过多,因此它们的转义值被逐字呈现.
This extra escaping step seems to cause HTML special characters to be escaped too much so their escaped values are being rendered literally.
为了更加彻底,我检查了 HTML 规范,根据这一行,setAttribute 函数似乎必须自动转义属性的值字符串.
To be extra thorough I checked the HTML spec and according to this line it appears that the setAttribute function must automatically escape the attribute's value string.
https://www.w3.org/TR/DOM-Level-2-Core/core.html#ID-F68F082
如果元素中已经存在具有该名称的属性,则其值将更改为 value 参数的值.该值是一个简单的字符串;在设置时不会对其进行解析.所以任何标记(例如被识别为实体引用的语法)都被视为文字文本,并且在写出时需要由实现进行适当的转义."
据我所知,这一行意味着 setAttribute 函数应该转义 HTML 特殊字符.这是正确的解释吗?
As I understand it, this line means that the setAttribute function should escape HTML special characters. Is that the correct interpretation?
推荐答案
该引用的简单英文解释是 setAttribute() 不会将值解析为 HTML.这样做的原因是因为您根本没有编写 HTML;该值是纯文本,而不是 HTML,所以通常在 HTML 中的特殊字符在纯文本中没有特殊含义,并且将它们转义为 HTML 实际上是具有破坏性的.
The plain English interpretation of that quote is that setAttribute() does not parse the value as HTML. The reason for that is because you're not writing HTML at all; the value is in plain text, not HTML, so what would normally be special characters in HTML have no special meaning in plain text, and escaping them as though they were HTML would actually be destructive.
> 是 >> 的 HTML 表示.你只需要用 HTML 编码,而不是纯文本.
> is the HTML representation of >. You only need to encode it in HTML, not in plain text.
这篇关于setAttribute 是否会自动转义 HTML 字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
