如何防止javascript中的客户端DOM XSS漏洞？

Question

After checkmarx scan on my code,I am getting the below message.对我的代码进行 checkmarx 扫描后，我收到以下消息。

Method execute at line 23 of ...\action\searchFun.js gets user input for the form element.在 ...\action\searchFun.js 的第 23 行执行的方法获取表单元素的用户输入。

This element's value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in function at line 28 of ../action/searchFun.js.然后，该元素的值在未经过适当清理或验证的情况下流经代码，并最终在 ../action/searchFun.js 的第 28 行的函数中显示给用户。 This may enable a DOM XSS attack.这可能会启用 DOM XSS 攻击。

Could some help me how to sanitize the above scenario to satisfy Checkmarx?有人可以帮助我如何清理上述场景以满足 Checkmarx 的要求吗？ Script as follows:脚本如下：

function searchAnnouncements(){
  $('#loadingAnnouncements').html('Loading...');
  var formData = $('form').serialize();

  jQuery.ajax({
    type: "post",
    url:  "bat.ajax",
    data: formData,
    cache: false,
    dataType: "json",
    cache: false,
    success: function(json) {
      $('div.block').unblock();
      $('#loadingAnnouncements').html('');
      if (json.resultSize > 0)
        $('#searchResults').html(json.searchResult);
    });
  },
}

Answer 1

You can use DOMPurify library.您可以使用DOMPurify库。 https://github.com/cure53/DOMPurify https://github.com/cure53/DOMPurify

This should prevent XSS injection by keeping safe HTML tags.这应该通过保持安全的 HTML 标签来防止 XSS 注入。

function searchAnnouncements(){
  $('#loadingAnnouncements').html('Loading...');
  var formData = $('form').serialize();

  jQuery.ajax({
    type: "post",
    url:  "bat.ajax",
    data: formData,
    cache: false,
    dataType: "json",
    cache: false,
    success: function(json) {
      $('div.block').unblock();
      $('#loadingAnnouncements').html('');
      if (json.resultSize > 0)
        $('#searchResults').html(DOMPurify.sanitize(json.searchResult));
    });
  },
}

Answer 2

Try modifying your code to be similar to the following:尝试将您的代码修改为类似于以下内容：

function searchAnnouncements(){  
    $("#loadingAnnouncements").html("Loading...");
    var formData = $("#form").serialize();

    jQuery.ajax({
        type: "post",
        url:  "bat.ajax",
        data: formData,
        cache: false,
        dataType: "json",
        cache: false,
        success: function(json) {
            $("#div.block").unblock();
            $("#loadingAnnouncements").html('');
            if (json.resultSize > 0)
              $("#searchResults").html(DOMPurify.sanitize(json.searchResult));
        });   
    }, 
}

如何防止javascript中的客户端DOM XSS漏洞？

问题描述

2 个解决方案

解决方案1
1 2017-09-19 12:43:39

解决方案2
0 2022-06-17 00:08:58

如何防止javascript中的客户端DOM XSS漏洞？

问题描述

2 个解决方案

解决方案1 1 2017-09-19 12:43:39

解决方案2 0 2022-06-17 00:08:58

解决方案1
1 2017-09-19 12:43:39

解决方案2
0 2022-06-17 00:08:58