'innerText'是否阻止XSS? [英] Does 'innerText' prevent XSS?

问题描述

如果我要在我的网站上显示用户生成的输入，仅通过在javascript中执行Element.innerText = "user input"来显示它就足够安全了吗，还是我需要另外过滤输入以防止XSS?

If I am going to be displaying user-generated input on my site, is it safe enough to just display it by doing Element.innerText = "user input" in javascript, or do I need to additionally filter the input to prevent XSS?

推荐答案

'innerText'是否阻止XSS?

Does 'innerText' prevent XSS?

并非在所有情况下都如此！ 摘录摘自OWASP Foundation，有关innerText 的不安全用法:

Not in all cases! The following excerpt is from the OWASP Foundation regarding unsafe usages of innerText:

innerText是一个被认为是安全的属性示例.一些论文或指南主张将其用作innerHTML的替代方法，以缓解innerHTML中的XSS.但是，根据应用了哪种innerText的标签，可以执行代码.

One example of an attribute which is thought to be safe is innerText. Some papers or guides advocate its use as an alternative to innerHTML to mitigate against XSS in innerHTML. However, depending on the tag which innerText is applied, code can be executed.

内容提供了以下示例(为清楚起见，已对其进行了修改)

The content provides the following example (which I have modified for clarity)

const tag = document.createElement("script");
tag.innerText = `console.log('Inner Text Used')`;
document.body.appendChild(tag); //executes code

但是，在大多数情况下，innerText是用于防止XSS的方法，也是

However, in MOST cases, innerText is the method you would use to prevent XSS, and is also documented on OWASP:

...使用innerText/textContent.这将解决问题，并且是纠正基于DOM的XSS漏洞的正确方法

... use innerText/textContent. This will solve the problem, and it is the right way to re-mediate DOM based XSS vulnerabilities

这篇关于'innerText'是否阻止XSS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！