[英]Preventing XSS when using .attr('href', url) in jQuery
I want to update the href
tag in jQuery. 我想更新jQuery中的href
标签。 The data is untrusted. 数据不受信任。 I'm trying to understand how can I craft a malicious input to cause an XSS type attack. 我试图了解如何制作恶意输入以引起XSS类型攻击。
<a href='http://example.com' class='link'>Link</a>
My understanding is that the function below should terminate the href
tag unexpectedly and create a new attribute onclick
, but it doesn't work. 我的理解是,下面的函数应该意外终止href
标记并创建一个新属性onclick
,但是它不起作用。
$('.link').on('click', function(e){
e.preventDefault();
$(this).attr('href',"' onclick='alert(\"ok\")'");
});
Here's the fiddle : http://jsfiddle.net/c1d7tuda/1/ 这是小提琴: http : //jsfiddle.net/c1d7tuda/1/
PS End goal is to use _.escape()
for HTML entities, but want to justify its usage. PS End的目标是对HTML实体使用_.escape()
,但要证明其用法合理。
If you're updating the href
attribute of your link using unvalidated user input, a malicious user could supply javascript:alert(0)
as their href
value. 如果您使用未经验证的用户输入更新链接的href
属性,则恶意用户可以提供javascript:alert(0)
作为其href
值。 Then, if a user clicked on the link, it would execute the malicious user's arbitrary javascript. 然后,如果用户单击链接,它将执行恶意用户的任意javascript。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.