What are the risks of using and avoiding javascript?
One of the most common errors is HTML injection, injecting javascript to third parties in their security context Allows. It controls an attacker, what the user does on your site, completely breaks account security.
However, web authors have made some slow progress in trying to remember the HTML-encode string, on the server side (such as htmlspecialchars in PHP), a new generation of webapps Using Javascript to create content on client-side, using the same dumb string-cocktailation hacks:
somediv.innerHTML = '& lt; P & gt; Hello, '+ name +' & lt; / P & gt; '; Often used in jQuery:
$ ('table'). Append ('& lt; tr title = "' + row.title + '"> gt; & lt; td>' + row.description + ' gt; & lt; / tr & gt; ; ';); This server-side is weak as a HTML injection and the authors really need to stop such content. You can do the HTML-encoding content on the client side, but since there is no built-in HTML encoder in JS, you have to do it yourself:
Function encoded HTML (s) {return s. Place (/ and / g, 'end';); (/ & lt; / g, '& amp; lt;') Replace (/ "/ g, & amp; quot;);} somediv.innerHTML = '& lt; p & gt; Hello,' + Encoded HTML (Name) + '& lt; / p & gt;'; < / Code> However, this usually eliminates the need to avoid better available DOM methods and properties:
Var p = document.createElement ('p'); p.appendChild (Document CreateTextNode ('hello,' + name);
and with the use of jQuery attr ( ); , text () and the creation shortcut ($ ('& lt; tr & gt ;, {title: row.title}), attachment ($ (' & lt; td & Gt; ', {text: row.description})));
Comments
Post a Comment