堆栈内存溢出
  简体   繁体   English

使用 angular 中的 index.html 加强扫描问题

[英]Fortify scan issue with index.html in angular

 原文  2019-10-23 21:36:33       javascript/ c#/ angular/ typescript/ xss

问题描述

My application is using angular front end with aspnet core and fortify scan brought up security issue on index.html.我的应用程序使用 angular 前端和 aspnet 核心和强化扫描在 index.html 上提出了安全问题。 One issue is this line.一个问题是这条线。

document.write('base href="'=+ document.location+'"/>'); document.write('base href="'=+ document.location+'"/>');

My understanding is this being a single page application, serves us the base container on which other components, scripts are loaded.我的理解是这是一个单页应用程序,为我们提供了加载其他组件和脚本的基础容器。 So how do I address the issue?那么我该如何解决这个问题呢? Isn't this how an angular SPA supposed to be?这不应该是 angular SPA 的样子吗? Secondly, the scan also show multiple lines as vulnerabilities.其次,扫描还将多行显示为漏洞。 Those would be and then similarly main.gh9787998886.bundle.js etc.那些将是然后类似地 main.gh9787998886.bundle.js 等。

How can I fix this?我怎样才能解决这个问题? Are these false positives?这些是误报吗?

1 个解决方案

解决方案1
 0  2019-10-24 10:29:09

Fortify often shows false positives (I think to be sure to not forget anything). Fortify 经常显示误报(我认为一定不要忘记任何事情)。 For example if there is some javascript code like key = 'something' then fortify claims about that with a message like 'hardcoded encryption key'.例如,如果有一些 javascript 代码,如 key = 'something',则使用“硬编码加密密钥”之类的消息强化声明。 I had that several times in the bundles where third party components like Kendo UI do things like that.我在 Kendo UI 等第三方组件执行类似操作的捆绑包中多次遇到这种情况。 In Fortify you can mark them in the developer status to 'third party component' and let them disappear as suppressed issues.在 Fortify 中,您可以将它们在开发者状态中标记为“第三方组件”,并让它们作为被抑制的问题消失。 Fortify remembers that for the next code check, so you just have to do that once. Fortify 会记住下一次代码检查,因此您只需执行一次。

document.write('base href="'=+ document.location+'"/>');

I think this is not a false positive.我认为这不是误报。 I would recommend to replace that by我建议将其替换为

  <base href=".">

For the case you use that to cover different deployments you should better use the --baseHref option for the build command.对于您使用它来涵盖不同部署的情况,您应该更好地使用 --baseHref 选项来构建命令。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 重定向到Index.html问题 - Redirect to Index.html issue HP Fortify扫描问题:密码管理:HTML格式的密码 - HP Fortify scan issue:Password Management: Password in HTML Form Gulp和index.html问题 - Gulp and index.html issue Angular 构建 index.html 不起作用 - Angular build index.html not working 如何在索引中使用 *ngIf.html angular 8 - How to use *ngIf in index.html angular 8 找不到脚本index.html angular 2 - Script not found index.html angular 2 在Angular SPA中将Controller添加到index.html - Add Controller to index.html in an Angular SPA MeanJS-将Angular集成到index.html文件中 - MeanJS - integrate Angular in index.html file Angular控制器直接在index.html中 - Angular controller directly in index.html Angular - 将变量传递给 index.html 中的脚本 - Angular - passing variable to script in index.html
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM