Angular - 如何防止来自事件的 RxJs 中的 XSS 攻击?
[英]Angular - how to prevent XSS attacks in RxJs fromEvent?
问题描述
I often use fromEvent method from RxJS.
我经常使用fromEvent中的 fromEvent 方法。 To be honest, I was expecting some magic from Angular, but apparently there is no.老实说,我期待 Angular 有一些魔力,但显然没有。 How can I prevent XSS attacks while using fromEvent ?使用fromEvent时如何防止 XSS 攻击?
Code example:代码示例:
<input #myInput />
fromEvent(this.muInput.nativeElement, 'input').pipe(
tap(inputEvent => this.saveToDatabase(inputEvent.data)
)
1 个解决方案
解决方案1
1 已采纳 2019-10-30 02:54:44
To your question, use fromEvent you get the same output as valueChanges in reactive form, in terms of security measure, it is pretty much the same.对于您的问题,使用fromEvent您会得到与反应形式的valueChanges相同的 output ,就安全措施而言,它几乎相同。
<input formcontrol="myInput"/>
myInput.valueChanges.subscribe(console.log)
vs对比
<input #myInput />
fromEvent(this.muInput.nativeElement, 'input').subscribe(console.log)
Angular will sanitize the output if you wrap them in expressions curly brace in your view Angular 将清理 output 如果您在视图中将它们包装在表达式花括号中
{{ .. }}
but it won't sanitize form input, so this is still a valid form input and sanitization still needs to be in place in the server side.但它不会清理表单输入,所以这仍然是一个有效的表单输入,并且仍然需要在服务器端进行清理。
<script>alert('kdfkf')</script>
I won't recommend use fromEvent to handle changes as in most cases you only bind once to a certain element (supposingly in ngOnInit), if that element removed from DOM by *ngIf , your event is gone unless you have code to handle rebinding.我不建议使用fromEvent来处理更改,因为在大多数情况下,您只绑定一次到某个元素(假设在 ngOnInit 中),如果该元素通过*ngIf从 DOM 中删除,除非您有处理重新绑定的代码,否则您的事件将消失。
this answer might also help Need to insert Script tag in angular 2这个答案也可能有帮助Need to insert Script tag in angular 2
as well as this https://angular.io/guide/security以及这个https://angular.io/guide/security
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.