[英]AngularJS XSS in <input> field
I have an AngularJS app (Angular version 1.6.4) that uses an input field to bind an URL (that can be changed by the user) to a model.我有一个 AngularJS 应用程序(Angular 版本 1.6.4),它使用输入字段将 URL(可由用户更改)绑定到 Z20F35E630DAF44DBFA4C3F68F539DZ。 Here is how it looks like:
这是它的样子:
<input ng-model="connectorService.url">
This URL is then saved to a backend and re-loaded from there as soon as the page is refreshed.然后将此 URL 保存到后端,并在页面刷新后立即从那里重新加载。 I have tried to do some XSS by manipulating the POST requests that set the URL in the backend.
我试图通过操纵在后端设置 URL 的 POST 请求来做一些 XSS。
I entered <script>alert("XSS");</script>
into the input and it is set correctly (verified by manually requesting it from the backend).我在输入中输入了
<script>alert("XSS");</script>
并且设置正确(通过从后端手动请求来验证)。 When I reload the page, the input field contains the XSS but it is not executed.当我重新加载页面时,输入字段包含 XSS 但未执行。 What am I doing wrong?
我究竟做错了什么? Is there still a sandbox in AngularJS 1.6.4?
AngularJS 1.6.4 中还有沙盒吗?
Is there still a sandbox in AngularJS 1.6.4?
AngularJS 1.6.4 中还有沙盒吗?
No, the expression sandbox was removed with AngularJS 1.6不,表达式沙盒已使用 AngularJS 1.6 删除
From the Docs:从文档:
Another major change [with V1.6] is the removal of the Expression Sandbox .
[V1.6] 的另一个主要变化是删除了Expression Sandbox 。 This should not require changes to your application (and may give it a small performance boost), but we strongly recommend reading the Sandbox Removal Blog Post to understand the implications behind the removal and whether any action is required on your part.
这不需要对您的应用程序进行更改(并且可能会稍微提高性能),但我们强烈建议您阅读Sandbox Removal 博客文章以了解删除背后的含义以及您是否需要采取任何措施。
— AngularJS Developer Guide - Migrating to V1.6
— AngularJS 开发人员指南 - 迁移到 V1.6
For additional information, see有关其他信息,请参阅
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.