将URL哈希参数值直接分配给Javascript变量是否不安全?
[英]Is it unsafe to directly assign a URL hash parameter value to a Javascript variable?
问题描述
I'm looking at an article and on writing wizards in React, and having each step being associated with a URL. 
我正在看一篇文章,并在React中编写向导,并将每个步骤都与URL关联。 The author uses the "hash" part of the URL to specify the step, and assigns to this.state.currentStep . 作者使用URL的“哈希”部分指定步骤,并将其分配给this.state.currentStep 。 They comment that this is unsafe. 他们评论说这是不安全的。
class BasicWizard extends React.Component {
constructor() {
this.state = {
steps: []
currentStep: location.hash //obvs this is an unsafe way to do this -- this example is for conceptual purposes only
};
}
My question: 我的问题:
why is this unsafe? 为什么这不安全? My guess is it's a XSS hazard, but wouldn't this input be converted to a string by React anyway? 我猜这是XSS危害,但是React不会将此输入转换为字符串吗? The way I see it, this would only be unsafe if I were using _dangerouslySetInnerHTML somewhere. 从我的角度来看,这仅在我在某处使用_dangerouslySetInnerHTML不安全的。
If it is unsafe: how to make safe? 如果不安全:如何确保安全?
1 个解决方案
解决方案1
1 2017-12-03 11:48:00
Location.hash is not unsafe because it returns just a string. Location.hash并非不安全,因为它仅返回一个字符串。 See here: https://www.w3schools.com/jsref/prop_loc_hash.asp 看到这里: https : //www.w3schools.com/jsref/prop_loc_hash.asp
So what makes it dangerous? 那么,什么使它变得危险呢? It becomes dangerous when you use it dangerously. 危险使用时会变得危险。 Dangerous ways of using it: 危险的使用方式:
- Merge it unescaped with your html (_dangerouslySetInnerHTML) 与您的html(_dangerouslySetInnerHTML)合并以不转义
- Calling eval() on it 在其上调用eval()
- Use this input unescaped in a sql query 使用此输入在sql查询中不转义
- ... ...
But doing sth. 但是做某事。 like 喜欢
if(location.hash === 'login') {
}
or assigning it to a variabe is not unsafe. 或将其分配给可变参数并非不安全。 What you do with that variable although can be unsafe (see above list). 尽管可能不安全,但是您对该变量执行的操作(请参见上面的列表)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.