堆栈内存溢出
  简体   繁体   English

防止密码在源代码中显示

[英]Preventing passwords showing in source code

 原文  2022-01-25 19:44:45       javascript/ php/ password-manager

问题描述

I am doing a password manager web app (like LastPass etc), one of the things that has occurred to me is that after using PHP to retrieve the passwords from a db and decrypting them and then using JS to display them in the UI, the variables containing their passwords are visible if someone looks at the source code.我正在做一个密码管理器 web 应用程序(如 LastPass 等),我发生的一件事是,在使用 PHP 从数据库中检索密码并解密它们然后使用 JS 在 UI 中显示它们之后,如果有人查看源代码,则可以看到包含其密码的变量。 Even if I did not use JS and used echo instead it would still be in the source code.即使我没有使用 JS 而是使用了 echo,它仍然会在源代码中。 Does anyone know of a, hopefully not too complex, way that can prevent the passwords from being in the source code?有谁知道一种可以防止密码出现在源代码中的方法,希望不会太复杂?

2 个解决方案

解决方案1
 0  2022-01-25 19:48:26

You can use JavaScript to send an HTTP request (using xhr or fetch) to your backend, then you can manipulate the DOM to show the password.您可以使用 JavaScript 向后端发送 HTTP 请求(使用 xhr 或 fetch),然后您可以操作 DOM 以显示密码。

解决方案2
 0 已采纳  2022-01-25 19:57:19

If you're talking about the HTML source code, this is normal.如果你说的是 HTML 源代码,这是正常的。 But there is a few way to avoid it:但是有几种方法可以避免它:

  • If you just want not to have it in your HTML when it is received by the user, then you can implement it via an Ajax request in javascript, to update the DOM with the text.如果您只是不想在用户收到它时将它包含在 HTML 中,那么您可以通过 javascript 中的 Ajax 请求来实现它,以使用文本更新 DOM。
  • If you want that when the user do inspect on the page he doesn't see the password you can use an input and set in javascript the value of it.如果您希望当用户在页面上进行inspect时他没有看到密码,您可以使用input并在 javascript 中设置它的值。 then you set the input as disabled so the user cannot modify it.然后您将输入设置为disabled ,以便用户无法修改它。 You can even change the type as password when needed so it's displayed as ****** when you want to hide it.您甚至可以在需要时将类型更改为密码,以便在您想要隐藏它时显示为******
  • Another way could be to add in javascript a css :after and tu put the value inside it.另一种方法是在 javascript 中添加 css :after并将值放入其中。 But it will still be visible somewhere I think.但它仍然会在我认为的某个地方可见。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 防止Javascript显示源代码 - Preventing Javascript from showing source code 通过在运行时从页面源中删除来防止JavaScript代码运行 - Preventing JavaScript code from running by removing from the page source at runtime Summernote没有显示我的源代码,而是显示了代码输出 - Summernote not showing me source code it is showing code output 有没有办法在源代码中显示动态标签? - Is there any way that dynamic tags showing in source code? "为什么 FireFox 调试器没有显示完整的源代码?" - Why is the FireFox debugger not showing full source code? Jsp页面显示源代码而不是结果 - Jsp page showing source code instead of result JavaScript 检索的 Div 未显示在源代码中 - Div retrieved by JavaScript not showing up in source code 查看源:显示JSON响应,而不是HTML源代码 - View Source: JSON Response is showing instead of HTML source code 为什么Firebug中显示的元素未显示在页面源代码中? - Why is an element showing in Firebug is not showing in page source code? Node js cheerio显示错误的html源代码 - Node js cheerio showing wrong html source code
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM