通常,在javascript中,使用innerHTML是不是[安全性]问题? [英] in general, in javascript, isn't using innerHTML an [in]security issue?
问题描述
带有DOM
并使用了诸如reactjs
之类的新工具,是否应该在javascript
程序中使用innerHTML
?
使用它很像对SQL注入攻击开放自己,但是这里是跨站点脚本编写等.在使用之前,需要检查并清理所有内容.
在我看来innerHTML
与eval()
具有相同的安全问题,出于安全考虑应避免使用.
(从美学上讲,也就是我.)
是的,innerHTML
经常被滥用,并且是客户端HTML注入(DOM-XSS)安全漏洞的非常常见的来源.
通常最好使用对象样式的创建方法,例如createElement
,textContent
和设置直接DOM属性.与此类似,在jQuery中,更喜欢使用.text()
和.prop()
而不是.html()
设置变量内容,或者将HTML标记传递给允许它的操作方法.
但是有一些例外情况:
-
如果您使用的是一种客户端模板语言,可以自动处理HTML换码(例如,带有
<%-
的lodash模板),则可以安全地将输出写入innerHTML
. -
如果您将多个同级项附加到单个元素上,并且性能是优先事项(通常的示例是具有大量行的
<table>
),那么创建HTML标记是值得的,您只需小心手动将所有文本HTML逸出 -
内容实际上应该是HTML,例如,您具有从Markdown处理的数据.
with the DOM
and cool new tools such as reactjs
, should innerHTML
ever be used in a javascript
program?
using it is a lot like opening oneself to an SQL injection attack, but here it's a cross-site scripting etc. everything needs to be examined and scrubbed before it's used.
seems to me innerHTML
has the same security issues as eval()
and should be avoided for [in]security reasons.
(also aesthetically, but that's just me.)
Yes, innerHTML
is often misused and a very common source of client-side HTML-injection (DOM-XSS) security holes.
It's usually better to use object-style creation methods, such as createElement
, textContent
and setting direct DOM properties. Similarly in jQuery, prefer to set variable content using .text()
and .prop()
rather than .html()
, or passing HTML markup to the manipulation methods that allow it.
There are some exceptions though:
if you're using a client-side templating language that deals with HTML-escaping for you automatically (eg lodash templates with
<%-
), it's safe to write the output toinnerHTML
.if you're appending a lot of siblings to a single element and performance is a priority (the usual example being a
<table>
with a large number of rows), HTML markup creation can be worth it and you will just have to be careful to HTML-escape all the text manuallywhere the content is actually supposed to be HTML, for example you have data that has been processed from Markdown.
这篇关于通常,在javascript中,使用innerHTML是不是[安全性]问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!