ajax响应返回html响应(XSS veracode) [英] ajax response return html response (XSS veracode)
本文介绍了ajax响应返回html响应(XSS veracode)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
function viewAcc() {
var errorMsg = "";
var result = true;
$(".errorView").hide();
var accNum = document.getElementById('custAccNum').value;
var accType = document.getElementById('custAccType').value;
$("#overlayPopup").show();
$.ajax({
url : '<attribute:resourceURL/>',
data : {
"custNo" : accNum ,
"custType" : accType
},
success : function(data) {
if (data == 'CUS_ACC') {
window.location = "/cust/account/c";
} else {
$("#overlayPopup").hide();
//display warning
$(".errorView").show();
$(".errorView").html(data); // <--- XSS line
e.preventDefault();
}
},
cache : false,
dataType : 'text',
error : function(error, textStatus, errorThrown) {
alert('error in ajax call: ' + textStatus);
console.log('error in ajax call: ' + textStatus);
window.location = "/cust/account/c/lookup";
},
timeout : ajaxTimeOutMilliSeconds
});
}
所以veracode指出我在 $(.errorView").html(data); 上有问题我该如何解决?如果我只是将其转换为文本,它是否会像html一样显示在客户端上?
So the veracode point out says I have issue on $(".errorView").html(data);
How do I fix this? If I just make it to text will it show on the client as is with the html?
推荐答案
您可以简单地使用 .text() 而不是 .html() .如果您没有来自服务器的任何标记,那么这是一个完全可行的选择,因为 .text()可以防止将内容解释为HTML
You can simply use .text() instead of .html(). If you don't have any markup coming from the server, then this is a perfectly viable alternative, since .text() will prevent the content being interpreted as HTML
//doing sc+ript is only needed here because Stack Snippets otherwise throws an error.
var msg = "This is <b>a message</b> with <script>console.log('some code')</sc"+"ript>";
$("#msgHtml").html(msg);
$("#msgText").text(msg);<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<h3>Message via .html():</h3>
<div id="msgHtml"></div>
<h3>Message via .text():</h3>
<div id="msgText"></div>这篇关于ajax响应返回html响应(XSS veracode)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
