是否有必要“逃生”？字符“<和“>”。为JavaScript字符串？ [英] Is it necessary to "escape" character "<" and ">" for javascript string?

问题描述

有时，服务器端会生成嵌入到内嵌JavaScript代码中的字符串。例如，如果UserName应该由ASP.NET生成。然后它看起来像。

 < script> 
 var username =<％UserName％>; 
< / script> 
  

这是不安全的，因为用户可以将他/她的名字设为

< / c>< / c>< p>

这是XSS漏洞。

因此，基本上，代码应该是：

 < script> 
 var username =<％JavascriptEncode（UserName）％>; 
< / script> 
  

JavascriptEncode 的作用是在/之前添加字符\ 和'和，所以输出的html就像。

var username =< / script> alert（\'bug \'）< / script> < / script>;

浏览器不会解释 < / script> 作为脚本块的结尾，因此，避免了XSS。

然而，在那里仍然存在<和>，建议避开这两个首先，我不认为在这里改变<为& lt;和>为& gt;并不是一个好主意。确保将所有浏览器都改为<为\<和>为\>，似乎没有必要对<和>做进一步的编码。 / p>

有没有关于这方面的任何建议？

谢谢。

解决方案

这个问题根据什么m有不同的答案您正在使用的arkup语言。

如果您使用的是HTML，那么您不能用实体来表示它们，因为脚本元素被标记为包含CDATA。
$ b

如果您使用的是XHTML，那么您可以使用显式的CDATA标记将它们表示为CDATA，或者您可以用实体来表示它们。

如果您使用的是XHTML，但将其作为text / html提供，那么您需要编写符合XHTML规则的东西，但仍然可以使用文本/ html解析器。这通常意味着使用显式的CDATA标记并在JavaScript中注释它们。

 < script type =text / javascript> 
 //<！[CDATA [
 ... 
 //]]> 
< / script> 
  

前一段时间，我写了一篇关于这是什么意思。

Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like.

<script>
   var username = "<%UserName%>";
</script>

This is not safe, because a user can have his/her name to be

</script><script>alert('bug')</script></script>

It is XSS vulnerability.

So, basically, the code should be:

<script>
   var username = "<% JavascriptEncode(UserName)%>";
</script>

What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like. var username = "</script>alert(\'bug\')</script></script>";

Browser will not interpret "</script>" as end of script block. So, XSS in avoided.

However, there are still "<" and ">" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "&lt;" and ">" to "&gt;" here. And, I'm not sure changing "<" to "\<" and ">" to "\>" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and ">".

Is there any suggestion on this?

Thanks.

解决方案

The problem has different answers depending on what markup language you are using.

If you are using HTML, then you must not represent them with entities as script elements are marked as containing CDATA.

If you are using XHTML, then you may represent them as CDATA with explicit CDATA markers, or you may represent them with entities.

If you are using XHTML, but serving it as text/html, then you need to write something which conforms to the rules of XHTML but still works with a text/html parser. This generally means using explicit CDATA markers and commenting them out in JavaScript.

<script type="text/javascript">
// <![CDATA[
  …
// ]]>
</script>

A while ago, I wrote a bit about the hows and whys of this.

这篇关于是否有必要“逃生”？字符“&lt;和“&gt;”。为JavaScript字符串？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！