坏的React dangerouslySetInnerHTML示例?
[英]Example of bad React dangerouslySetInnerHTML?
问题描述
Is there an example of misuse of dangerouslySetInnerHTML in ReactJS? 
有没有在ReactJS中滥用dangerouslySetInnerHTML的例子?
Everytime I look this up, it's just someone waving their hand and saying "cross site scripting." 每次我查看它时,只是有人挥手并说“跨站点脚本”。
I've seen dangerouslySetInnerHTML used to load CSS files with a css loading npm module: 我已经看到危险的SetInnerHTML用于加载带有css加载npm模块的CSS文件:
import {stylesheet, classNames} from '../static/css/styles.css'
<Head><style dangerouslySetInnerHTML={{__html: stylesheet}} /></Head>
And I'm contemplating using dangerouslySetInnerHTML for some script tags for social media share buttons that have been causing my team trouble. 我正在考虑使用危险的SetInnerHTML来处理导致我的团队麻烦的社交媒体共享按钮的一些脚本标签。
Code examples and explanations of how one would go about hacking a page with XSS would be highly appreciated! 代码示例和解释如何使用XSS攻击页面将受到高度赞赏!
1 个解决方案
解决方案1
10 已采纳 2017-06-16 16:04:29
<span dangerouslySetInnerHTML={someTextSubmittedByAUser}></span>
Imagine if you had a comment section on your page and someone submitted a comment with: 想象一下,如果您的页面上有评论部分,并且有人提交了评论:
<script>while(1){}</script>
and you just passed that as the inner HTML to some node. 你刚刚将它作为内部HTML传递给某个节点。 Now anyone who hits a page which loads that comment will have their tab lock up. 现在,任何点击加载该评论的页面的人都会将其标签锁定。
There are far more nefarious things people can do. 人们可以做的事情要多得多。 Copying your cookies and send them to a remote server, for example. 例如,复制cookie并将其发送到远程服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.