[英]Is it unsafe to directly assign a URL hash parameter value to a Javascript variable?
I'm looking at an article and on writing wizards in React, and having each step being associated with a URL. 我正在看一篇文章,并在React中编写向导,并将每个步骤都与URL关联。 The author uses the "hash" part of the URL to specify the step, and assigns to
this.state.currentStep
. 作者使用URL的“哈希”部分指定步骤,并将其分配给
this.state.currentStep
。 They comment that this is unsafe. 他们评论说这是不安全的。
class BasicWizard extends React.Component {
constructor() {
this.state = {
steps: []
currentStep: location.hash //obvs this is an unsafe way to do this -- this example is for conceptual purposes only
};
}
My question: 我的问题:
why is this unsafe? 为什么这不安全? My guess is it's a XSS hazard, but wouldn't this input be converted to a string by React anyway?
我猜这是XSS危害,但是React不会将此输入转换为字符串吗? The way I see it, this would only be unsafe if I were using
_dangerouslySetInnerHTML
somewhere. 从我的角度来看,这仅在我在某处使用
_dangerouslySetInnerHTML
不安全的。
If it is unsafe: how to make safe? 如果不安全:如何确保安全?
Location.hash is not unsafe because it returns just a string. Location.hash并非不安全,因为它仅返回一个字符串。 See here: https://www.w3schools.com/jsref/prop_loc_hash.asp
看到这里: https : //www.w3schools.com/jsref/prop_loc_hash.asp
So what makes it dangerous? 那么,什么使它变得危险呢? It becomes dangerous when you use it dangerously.
危险使用时会变得危险。 Dangerous ways of using it:
危险的使用方式:
But doing sth. 但是做某事。 like
喜欢
if(location.hash === 'login') {
}
or assigning it to a variabe is not unsafe. 或将其分配给可变参数并非不安全。 What you do with that variable although can be unsafe (see above list).
尽管可能不安全,但是您对该变量执行的操作(请参见上面的列表)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.