Javascript清理:插入可能的XSS html字符串的最安全方法 [英] Javascript sanitization: The most safe way to insert possible XSS html string

问题描述

当前，我将此方法与jQuery解决方案配合使用，以清除可能的XSS攻击中的字符串.

Currently i'm using this method with jQuery solution, to clean string from possible XSS attacks.

sanitize:function(str) {
    // return htmlentities(str,'ENT_QUOTES');
    return $('<div></div>').text(str).html().replace(/"/gi,'&quot;').replace(/'/gi,'&apos;');   
}

但是我觉得它不够安全.我想念什么吗?

But i have a feeling it's not safe enough. Do i miss something?

我在这里尝试了来自phpjs项目的htmlentities: http://phpjs.org/functions/htmlentities:425/

I have tried htmlentities from phpjs project here: http://phpjs.org/functions/htmlentities:425/

但是它有点bug，并返回了一些其他特殊符号.也许是旧版本?

But it's kinda bugged and returns some additional special symbols. Maybe it's an old version?

例如:

htmlentities('test"','ENT_QUOTES');

产生:

test"

但应该是:

test"

您如何通过javascript处理此问题?

How are you handling this via javascript?

推荐答案

是的，使用javascript动态地进行.字符串来自不受信任的来源.

Yes dynamically using javascript. String comes from untrusted source.

然后，您无需手动对其进行消毒.使用jQuery，您可以编写

Then you don't need to sanitize it manually. With jQuery you can just write

​var str = '<div>abc"def"ghi</div>​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​';

​$​('test').text(str);
$('test').attr('alt', str);

浏览器将为您从代码中分离数据.

Browser will separate the data from the code for you.

示例: http://jsfiddle.net/HNQvd/

这篇关于Javascript清理:插入可能的XSS html字符串的最安全方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！