Vue默认情况下是否为XSS提供安全性或防御XSS? [英] Does Vue, by default, provide security for or protects against XSS?
问题描述
我正在设法弄清楚如何保护,
- 角度
- Vue
- 反应
https://angular.io/guide/security
,它说:
为系统地阻止XSS错误,Angular将所有值视为 默认情况下不受信任.当值从插入到DOM中时 模板,通过属性,属性,样式,类绑定或 插值,Angular会清除并转义不受信任的值.
还有:
Angular清除HTML,样式和URL的不受信任的值; 无法清理资源URL,因为它们包含任意 代码.在开发模式下,Angular会在其打印控制台警告 在消毒过程中必须更改值.
和:
Angular会将该值识别为不安全并自动清除它, 该标签会删除标签,但会保留安全内容,例如 元素.
当我查看React的官方文档时,
https://reactjs.org/docs/introducing- jsx.html#jsx-prevents-injection-attacks
,它表示以下内容:
将用户输入嵌入JSX是安全的:
和:
默认情况下,React DOM在转义之前会转义JSX中嵌入的所有值 渲染它们.因此,它可以确保您永远不会注入任何东西 没有明确地写在您的应用程序中.一切都是 在呈现之前将其转换为字符串.这有助于防止XSS (跨站点脚本)攻击.
但是对于Vue,我在他们的文档中找不到关于XSS保护的任何内容,也没有他们可以默认提供的任何内容.
我的问题:默认情况下,Vue是否提供任何针对XSS攻击的保护措施,还是我需要寻找第三方解决方案?
当我用Google来搜索该主题时,我会看到很多博客文章网站和文章,例如,该项目旨在净化我的HTML:
https://github.com/punkave/sanitize-html
vue中没有内置的消毒剂.根据Evan You(Vue的创建者)在问题上评论
内置消毒剂会增加包装袋的重量,以减少罕见的使用情况 (当大多数v-html用例用于可信内容时);也是 通过设置Vue.prototype.$ sanitize =添加sanitize-html很简单 sanitizeHTML,然后执行v-html ="$ sanitize(html)".
检查此帖子: https://github.com/vuejs/vue/issues/6333
I am trying to figure out how to protect,
- Angular
- Vue
- React
against XSS attacks. When I visit the Angular official docs,
https://angular.io/guide/security
, it says:
To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values.
and also:
Angular sanitizes untrusted values for HTML, styles, and URLs; sanitizing resource URLs isn't possible because they contain arbitrary code. In development mode, Angular prints a console warning when it has to change a value during sanitization.
and:
Angular recognizes the value as unsafe and automatically sanitizes it, which removes the tag but keeps safe content such as the element.
When I go to the React official docs,
https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks
,it says the following:
It is safe to embed user input in JSX:
and:
By default, React DOM escapes any values embedded in JSX before rendering them. Thus it ensures that you can never inject anything that’s not explicitly written in your application. Everything is converted to a string before being rendered. This helps prevent XSS (cross-site-scripting) attacks.
But for Vue, I cannot find anything in their docs about XSS protection, or anything that they could provide by default.
My question: Does Vue, by default, deliver any way of protection against XSS attacks, or would I need to look for a 3rd party solution?
When I Google for this subject I get a lot of blog posts sites and articles refering to, for example, this project to sanitize my HTML:
https://github.com/punkave/sanitize-html
There is no built-in sanitizer in vue. As per Evan You's (Creator of Vue) comment on an issue
built-in sanitizer would add extra bundle weight for a rare use case (when most use cases of v-html are for trusted content); it is also trivial to add sanitize-html by setting Vue.prototype.$sanitize = sanitizeHTML and then do v-html="$sanitize(html)".
Check this post : https://github.com/vuejs/vue/issues/6333
这篇关于Vue默认情况下是否为XSS提供安全性或防御XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
