我应该防止在密码字段中注入JavaScript吗?
[英]Should I prevent JavaScript injections in password field?
问题描述
I've found lots of information about JavaScript injections, but didn't find any specific regarding password field. 
我找到了许多有关JavaScript注入的信息,但是没有找到有关password字段的任何特定信息。
For my test GMail account I was able to set the next password <Script>alert(document.cookie);</script> and it works correctly. 对于我的测试GMail帐户,我可以设置下一个密码<Script>alert(document.cookie);</script> ,它可以正常运行。
Should I just encode the < and > to their HTML equivalent? 我应该只将<和>编码为它们的HTML等效语言吗?
How to handle such passwords? 如何处理这样的密码?
Edit #1: I store passwords in DB as hashes (and no issues for JavaScript injections here). 编辑#1:我将密码作为散列存储在数据库中(这里没有JavaScript注入问题)。 And I want to add a toggle for Password Visibility. 我想为密码可见性添加一个切换开关。 In this case I should encode the < and > to their HTML equivalent and that's it? 在这种情况下,我应该将<和>编码为它们的HTML等效项,就是这样吗?
1 个解决方案
解决方案1
0 已采纳 2019-08-02 17:18:11
I used the next advice: 我使用了下一条建议:
- you should store passwords in DB as hashes (no issues for JavaScript injections here). 您应该将密码作为散列存储在数据库中(此处没有JavaScript注入问题)。
for a
Password toggle Visibility:对于Password toggle Visibility:2.1 if it is implemented with a plain
<input>, you don't have to do anything (no JavaScript injections here).2.1如果使用普通的<input>,则无需执行任何操作(此处无JavaScript注入)。2.2 if it is implemented with a
<span>,<div>, etc, then you have to HTML-encode it (and note that you also have to worry about&characters).2.2如果使用<span>,<div>等实现,则必须对其进行HTML编码(请注意,您还必须担心&字符)。
<!DOCTYPE html> <html> <body> Password: <input type="password" value="<Script>alert(document.cookie);</script>" id="myInput"><br><br> <input type="checkbox" onclick="showPasswd()">Show Password <script> function showPasswd() { var x = document.getElementById("myInput"); if (x.type === "password") { x.type = "text"; } else { x.type = "password"; } } </script> </body> </html>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.