正在使用href =“" javascript:" Angular 2+中有危险吗? [英] Is using href="javascript:" dangerous in Angular 2+?

问题描述

来自《 Angular安全指南》 ，它是:

要阻止XSS攻击，必须防止恶意代码进入 DOM(文档对象模型).例如，如果攻击者可以欺骗 您在DOM中插入标签，它们可以任意运行 您网站上的代码.攻击不仅限于标签-许多 DOM中的元素和属性允许代码执行，例如， <img onerror="...">和<a href="javascript:...">.如果 攻击者控制的数据进入DOM，期望安全 漏洞.

To block XSS attacks, you must prevent malicious code from entering the DOM (Document Object Model). For example, if attackers can trick you into inserting a tag in the DOM, they can run arbitrary code on your website. The attack isn't limited to tags—many elements and properties in the DOM allow code execution, for example, <img onerror="..."> and <a href="javascript:...">. If attacker-controlled data enters the DOM, expect security vulnerabilities.

我有时使用<a href="javascript:" (click)="someFunction()">link</a>使用CSS选择器(a:link)来定位元素，而没有链接引用URI，锚点或运行任何代码.

I've sometimes used <a href="javascript:" (click)="someFunction()">link</a> to target the element with CSS selectors (a:link) without the link referencing a URI, anchor, or running any code.

这是危险的做法吗?他们并没有给出如何利用它的示例.

Is this a dangerous practice? They don't really give an example of how this could be exploited.

如果这是不好的做法，那么请在

And if this is bad practice, then here's my dilemma: If I have a series of links in a nav, some of them ARE HREFs, and some of them bind to JS, but I want them all to look the same and use the same CSS selectors. Is there an easy way to accomplish that?

推荐答案

尝试为具有(点击)的链接添加空的href

Try adding an empty href for links that has (click)

<a (click)="action()" href>Previous</a>

如果它不起作用，您可以尝试

If it doesn't work, you can try

<a href (click)="doSomething(); $event.preventDefault()">Link</a>
<a href (click)="!!doSomething()">Link</a>
<a href (click)="doSomething(); false">Link</a>

这篇关于正在使用href =“" javascript:" Angular 2+中有危险吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！