=_= 在 javascript 或 html 中是什么意思?
[英]what does =_= means in javascript or html?
问题描述
When i'm reading XSS cheat sheet , i notice a special usage i have never seen
当我阅读XSS 备忘单时,我注意到一个我从未见过的特殊用法
<img src="/" =_=" title="onerror='prompt(1)'">
What does "=_=" means? “=_=”是什么意思? it's below the sentense "On Mouse Over".它在“鼠标悬停”这句话的下方。 I guess it mean mouse over handler?我猜这意味着鼠标悬停在处理程序上? And it cause xss in this case.在这种情况下,它会导致 xss。 But it all by guess.但这一切都靠猜测。 Anyone can help me?任何人都可以帮助我吗?
1 个解决方案
解决方案1
1 2021-12-23 04:13:46
It's just an attribute on the element.它只是元素上的一个属性。 It doesn't have any meaning by itself, so it may be present simply as a red herring.它本身没有任何意义,所以它可能只是作为一条红鲱鱼出现。
Prettified, the code is:美化,代码是:
<img
src="/"
=_=" title="
onerror='prompt(1)'"
>
In HTML, = in an attribute specifies the delimiter between the attribute name and the attribute value, so it's:在 HTML 中,属性中的=指定了属性名称和属性值之间的分隔符,所以它是:
=_=" title="
^^ attribute name
=_=" title="
^ delimiter between attribute name and attribute value
=_=" title="
^ attribute value contents delimiter
=_=" title="
^^^^^^^ attribute value
=_=" title="
^ attribute value contents delimiter
And you could retrieve the attribute value if you wanted.如果需要,您可以检索属性值。
const img = document.querySelector('img'); console.log(img.getAttribute('=_'));
<img src="/" =_=" title=" onerror='prompt(1)'" >
Note that the attribute name is =_ , not =_= - the final = is the delimiter, not part of the attribute name.请注意,属性名称是=_ ,而不是=_= - 最后的=是分隔符,而不是属性名称的一部分。
The "XSS" is caused only by the src and the onerror , not by anything else. “XSS”仅由src和onerror引起,而不是由其他任何原因引起。 Wherever you're encountering this, the =_ probably doesn't do anything at all.无论您在哪里遇到这种情况, =_可能根本不会做任何事情。 It could , but it probably doesn't.它可以,但它可能不会。
<img src="/" onerror='prompt(1)'">
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.