通过Javascript设置表单字段值时的安全注意事项?
[英]Safety considerations when setting form field values via Javascript?
问题描述
I'd like to know if there are safety concerns when setting form field values directly via Javascript. 
我想知道在通过Javascript直接设置表单字段值时是否存在安全问题。 I am quite sure that it is safe to do so under all circumstances, but I should be absolutely sure instead of quite sure. 我确信在任何情况下这样做都是安全的,但我应该绝对肯定而不是很确定。 So, I am asking for your opinions. 所以,我在征求你的意见。
What I mean: 我的意思是说:
Suppose I have an HTML form which contains a text input field with id "txt_Field", and I am doing the following: 假设我有一个HTML表单,其中包含一个id为“txt_Field”的文本输入字段,我正在执行以下操作:
...
myvalue = "<script>alert('I am evil');</script>";
document.getElementById("txt_Field").value = myvalue;
...
ie I am setting the value of the form field to a string which is hold in a variable without escaping or filtering that string in any way. 即我将表单字段的值设置为一个字符串,该字符串保存在变量中而不以任何方式转义或过滤该字符串。 Of course, that string actually would contain user generated input with evil things of all kinds. 当然,该字符串实际上将包含用户生成的输入与各种邪恶的东西。
Nevertheless, I think it is safe to do so. 不过,我认为这样做是安全的。 Does anybody know of an example which proves the opposite? 有人知道一个证明相反的例子吗?
Please note that the question is not if the unfiltered form field value could do harm at the backend when the form data is sent to the server. 请注意,问题不在于,当表单数据发送到服务器时,未经过滤的表单字段值是否会在后端造成损害。
I just would like to know if anybody could think of any content in myvalue which could trick a (modern) browser into strange behavior when form field values are set this way, or if I have generally misunderstood something very important. 我只是想知道是否有人能够想到myvalue中的任何内容,当表单字段值以这种方式设置时,或者如果我一般误解了非常重要的东西时,它可以欺骗(现代)浏览器变成奇怪的行为。
Thank you very much! 非常感谢你!
1 个解决方案
解决方案1
-1 2015-08-08 20:03:38
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.