在客户端防止XSS(纯Javascript) [英] Prevent XSS on client-side (Pure Javascript)
问题描述
我有一个简单的项目,但令我头疼,因为客户端编程不是我的事。基本上我有一个登录页面,客户希望我阻止XSS攻击,不允许用户不在用户名/密码字段上提交恶意代码。我会很容易在服务器端做,但他们不希望给我们访问。
i got a simple project but is giving me headaches because Client-Side programming is not my thing. Basically i got a login page and the client wants that i prevent XSS attacks not allowing users not submit malicious code on username/password fields. I would do it on server side easily, but they do not want give to us access.
任何人有机会给我提示我该怎么做?即使很难,我也知道javascript / HTML的基础知识,我的经验几乎无效。
Any chance to someone give me hints how can i do this? Even tough i know the basics of javascript/HTML, my experience ir nearly null.
我知道这个主题有几个问题,但真诚地,我迷失了所有信息
I know that are several questions about this topic, but sincerely, i got lost with all information
最好的问候
推荐答案
其实你只是不能在客户端进行任何可靠的XSS预防。攻击者只是禁用JavaScript,并且所有复杂的代码都不存在。任何客户端验证仅用于方便用户,仅此而已。
Actually you simply cannot make any reliable XSS prevention on the client side. The attacker simply disables JavaScript, and all your complicated code is non-existent. Any client-side validation is only for the convenience of the users, nothing more.
更新:上面我写的,关于二阶(又名存储)XSS。 第一顺序 XSS攻击(当攻击者创建伪造的URL时)可以使用JavaScript进行缓解。
Update: The above I wrote, is true about second order (a.k.a. stored) XSS. First order XSS attacks (when the attacker creates a forged URL) can be mitigated using JavaScript.
这篇关于在客户端防止XSS(纯Javascript)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!