简体繁体 English

从字符串获取textContent

[英]get textContent from string

原文 2013-12-23 23:26:45 6 1 javascript/ dom

I'm working on an app, and I need to get the value that would be returned by the textContent property of a div if I inserted the string into the div (empty) with the innerHTML property. 我正在开发一个应用程序，如果我使用innerHTML属性将字符串插入div（空），则需要获取div的textContent属性返回的值。 This is for a preview for the user. 这是给用户的预览。 Obviously, I could do exactly that, but I can't have any scripts run from the parsed string of HTML. 显然，我可以做到这一点，但是我无法从已解析的HTML字符串中运行任何脚本。 For example, if the string contained <img src="https://www.google.com/images/srpr/logo11w.png" onload="alert('hello')"> , the alert would show. 例如，如果字符串包含<img src="https://www.google.com/images/srpr/logo11w.png" onload="alert('hello')"> ，则会显示警报。

Edit: this is a file editing app, so the string could be anything. 编辑：这是一个文件编辑应用程序，因此字符串可以是任何东西。 The user could receive a malicious file and open it with the app and be hacked. 用户可能会收到恶意文件，并使用该应用程序将其打开并遭到黑客攻击。

1 个解决方案

One thing to consider is: where is this stuff that is previewed coming from? 要考虑的一件事是：预览的东西从哪里来？

More than likely, it's coming from the user's own browser. 它很有可能来自用户自己的浏览器。

There is no security risk in a user hacking their own browser. 用户入侵自己的浏览器不会带来安全风险。

The only time you need to worry yourself is when you are giving one user something that was submitted by another user. 您唯一需要担心的就是当您向一个用户提供其他用户提交的内容时。 At this point, you have to worry about XSS attacks, and shoud trim accordingly. 此时，您必须担心XSS攻击，并据此进行调整。 If this is the case, then please let me know. 如果是这种情况，请告诉我。 However, if not, then what you have is a sandbox, where it doesn't matter what the user does. 但是，如果没有，那么您拥有的只是一个沙箱，用户在什么地方做什么都没有关系。