Javascript安全风险？ [英] Javascript security risks?

问题描述

使用Javascript有什么风险以及如何避免它们？

What are the risks of using Javascript and how to avoid them?

推荐答案

最常见的错误之一是HTML注入，允许第三方将JavaScript注入您的安全上下文。这允许攻击者控制用户在您网站上的操作，完全破坏帐户安全性。

One of the most common errors is HTML injection, allowing third parties to inject JavaScript into your security context. That allows an attacker to control what a user does on your site, completely breaking account security.

虽然尝试让网络作者记住HTML的进展缓慢但进展缓慢 - 他们输出到服务器端网页的字符串（例如PHP中的 htmlspecialchars ），新一代的webapps正在使用相同的哑字串连接黑客来创建内容客户端使用JavaScript：

Whilst there has been some slow progress trying to get web authors to remember to HTML-encode strings they output into web pages at the server side (eg htmlspecialchars in PHP), a new generation of webapps are using the same dumb string-concatenation hacks to create content at the client-side using JavaScript:

somediv.innerHTML= '<p>Hello, '+name+'</p>';

经常使用jQuery：

often using jQuery:

$('table').append('<tr title="'+row.title+'"><td>'+row.description+'</td></tr>');

这与服务器端HTML注入一样脆弱，作者真的需要停止以这种方式构建内容。您可以在客户端对文本内容进行HTML编码，但由于JS没有内置的HTML编码器，您必须自己完成：

This is just as vulnerable as server-side HTML injection and authors really need to stop building content this way. You can HTML-encode text content at the client side, but since JS doesn't have a built-in HTML encoder you'd have to do it yourself:

function encodeHTML(s) {
    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
}

somediv.innerHTML= '<p>Hello, '+encodeHTML(name)+'</p>';

然而它通常很多最好使用可用的DOM方法和属性来避免转义：

var p= document.createElement('p');
p.appendChild(document.createTextNode('Hello, '+name);

并使用jQuery使用 attr（）， text（）和创建快捷方式：

and with jQuery use attr(), text() and the creation shortcuts:

$('table').append(
    $('<tr>', {title: row.title}).append(
        $('<td>', {text: row.description})
    )
);

这篇关于Javascript安全风险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！