一般来说,在 javascript 中,使用 innerHTML 是不是 [in] 安全问题? [英] in general, in javascript, isn't using innerHTML an [in]security issue?
问题描述
使用 DOM
和很酷的新工具,例如 reactjs
,应该在 javascript
中使用 innerHTML
程序?
with the DOM
and cool new tools such as reactjs
, should innerHTML
ever be used in a javascript
program?
使用它很像让自己受到 SQL 注入攻击,但这里是跨站点脚本等.在使用之前,所有东西都需要检查和清理.
using it is a lot like opening oneself to an SQL injection attack, but here it's a cross-site scripting etc. everything needs to be examined and scrubbed before it's used.
在我看来 innerHTML
与 eval()
有相同的安全问题,出于 [in] 安全原因应该避免使用.
seems to me innerHTML
has the same security issues as eval()
and should be avoided for [in]security reasons.
(在美学上也是如此,但这只是我.)
(also aesthetically, but that's just me.)
推荐答案
是的,innerHTML
经常被误用,并且是客户端 HTML 注入 (DOM-XSS) 安全漏洞的常见来源.
Yes, innerHTML
is often misused and a very common source of client-side HTML-injection (DOM-XSS) security holes.
通常最好使用对象样式的创建方法,例如 createElement
、textContent
和直接设置 DOM 属性.同样在 jQuery 中,更喜欢使用 .text()
和 .prop()
而不是 .html()
来设置变量内容,或者传递 HTML标记允许它的操作方法.
It's usually better to use object-style creation methods, such as createElement
, textContent
and setting direct DOM properties. Similarly in jQuery, prefer to set variable content using .text()
and .prop()
rather than .html()
, or passing HTML markup to the manipulation methods that allow it.
不过也有一些例外:
如果您使用的是自动处理 HTML 转义的客户端模板语言(例如带有
<%-
的 lodash 模板),则编写输出是安全的到innerHTML
.
if you're using a client-side templating language that deals with HTML-escaping for you automatically (eg lodash templates with
<%-
), it's safe to write the output toinnerHTML
.
如果您将许多兄弟元素附加到单个元素并且性能是优先考虑的因素(通常的示例是具有大量行的 if you're appending a lot of siblings to a single element and performance is a priority (the usual example being a 内容实际上应该是 HTML 的地方,例如您有从 Markdown 处理的数据. where the content is actually supposed to be HTML, for example you have data that has been processed from Markdown. 这篇关于一般来说,在 javascript 中,使用 innerHTML 是不是 [in] 安全问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!),HTML创建标记是值得的,您只需要小心地手动对所有文本进行 HTML 转义
<table>
with a large number of rows), HTML markup creation can be worth it and you will just have to be careful to HTML-escape all the text manually
登录
关闭