一个正则表达式的空白字符会引起注入吗? [英] can a regex whitespace character cause an injection?
问题描述
如果我想验证< textarea>
的输入,并希望它包含,例如,只包含数值,但甚至想要给用户插入新行的可能性,我可以用javascript正则表达式选择想要的字符,甚至包括空格字符。
if I want to validate the input of a <textarea>
, and want it to contain, for example, only numerical values, but even want to give users the possibility to insert new lines, I can selected wanted characters with a javascript regex that includes even the whitespace characters.
/[0-9\s]/
问题是:即使我认为最后一个选项是不可能的,还是任何其他类型的攻击,是否可以使用白字符来执行注入,XSS?
The question is: do a whitecharacter can be used to perform injections, XSS,even if I think this last option is impossible, or any other type of attack ?
谢谢
推荐答案
/ [0我相信-9 \ s] /
应该是一个安全的白名单。但是,您确实需要确保它检查整个输入;我认为你的意思是 / ^ [0-9 \ s] * $ /
。
/[0-9\s]/
should be a safe whitelist to use, I believe. You do need to ensure that it checks the entire input, though; I think you mean /^[0-9\s]*$/
.
还要记住,当然,您必须在服务器端验证它,而不仅仅是在浏览器中。攻击者可以轻松绕过JavaScript验证码。
Also remember, of course, that you have to validate it server-side, not just in the browser. Attackers can easily bypass JavaScript validation code.
这篇关于一个正则表达式的空白字符会引起注入吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!