可以绕过HTML属性吗?
[英]Can HTML attributes be bypassed?
问题描述
Suppose I have an <input> tag with a pattern attribute (for example, a pattern that matches some format of a phone number), and I don't go through the standard HTML page in the browser to post that data (for example, through postman), would that data still be check against the regex pattern? 
假设我有一个带有pattern属性的<input>标记(例如,与电话号码的某种格式匹配的pattern ),并且我没有浏览器中的标准HTML页面来post该数据(例如,通过邮递员),该数据是否仍会根据正则表达式模式进行检查? In other words, can html attributes (like pattern or require ) be bypassed? 换句话说,可以绕过html属性(例如pattern或require )吗?
More generally, in terms of security, should server side scripts always check against all possible invalid data? 更一般而言,就安全性而言,服务器端脚本是否应始终检查所有可能的无效数据?
1 个解决方案
解决方案1
2 已采纳 2018-06-15 15:40:56
Yes, you should always validate security sensitive information server-side. 是的,您应该始终在服务器端验证对安全敏感的信息。 Never trust client input or assume it came from your HTML page. 永远不要相信客户端输入或假设它来自您的HTML页面。
Consider that with the dev tools that come with most popular browsers, these attributes could easily be manually removed from the DOM client side. 考虑到使用大多数流行浏览器附带的开发工具,可以轻松地从DOM客户端手动删除这些属性。 It wouldn't even require spoofing the entire page. 它甚至不需要欺骗整个页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.