JSLint的目的是“在正则表达式中禁止不安全”选项 [英] Purpose of JSLint "disallow insecure in regex" option
问题描述
我有一行代码在通过JSLint运行时出现以下错误:
第604行的Lint字符48:不安全的'^'。
numExp = parseInt(val [1] .replace(/ [^ \- + \d] / g,),10);
此错误似乎是指JSLint选项页面中的以下描述:
如果在RegExp文字中不允许使用。和[^ ...],则为true。
在安全验证时不应使用这些表格应用。
我不太明白客户端javascript应用程序如何真正被认为是安全的。即使使用最密集的正则表达式,仍然可以启动像firebug这样的东西,无论如何都要改变变量。真正的输入验证应该在服务器上完成,客户端浏览器应该坚持使用可以处理普通用户滥用的验证。
忽略安全这个错误?我在这里错过了一个角度,因为客户端输入验证,我的应用程序将不安全吗?
不安全的意思是非特定的在这种情况下。点。和独占范围 [^ ...] 都没有明确定义应该与正则表达式相匹配。出于验证目的,此可以提出成功匹配您认为不想要的东西的风险(想想:白名单与黑名单)。
在任何情况下,点和独占范围都是正则表达式的有效部分,如果它们符合您的需要(就像在这种情况下),我会认为警告过于谨慎。 / p>
恶意用户可以随时摆弄您的页面逻辑;警告更多的是关于页面的常规操作。
I have a line of code that gets the following error when run through JSLint:
Lint at line 604 character 48: Insecure '^'.
numExp = parseInt(val[1].replace(/[^\-+\d]/g, ""), 10);
This error seems to refer to the following description from JSLint's option page:
"true if . and [^...] should not be allowed in RegExp literals.
These forms should not be used when validating in secure applications."
I don't quite understand how a client-side javascript application can really be considered secure. Even with the most airtight regex, it's still possible to fire up something like firebug and change the variable anyway. The real input validation should be done on the server, and the client browser should probably stick with validation that will handle the abuse of your average user.
Is it safe to ignore this error? Am I missing an angle here where my application will be insecure because of client-side input validation?
"Insecure" means "unspecific" in this context. Both the dot . and the exclusive range [^…] are not clearly defining what should be matched by the regex. For validation purposes, this can propose the risk of successfully matching stuff that you did not think of and do not want (think: white-listing vs. black-listing).
In any case, dot and exclusive range are valid parts of a regular expression, and if they do what you need (like in this case), I would think of the warning as over-cautious.
A malicious user can fiddle with your page logic any time; the warning is more about the regular operation of the page.
这篇关于JSLint的目的是“在正则表达式中禁止不安全”选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
