将 val() 清理为 append 以避免 XSS
[英]Sanitize val() to append to avoid XSS
问题描述
Currently I'm using checkmarx to find vulnerabilities on mi code.
目前我正在使用 checkmarx 来查找 mi 代码的漏洞。 The javascript files aparently haev some potential xss vulnerabilites when I use jquery val() function and then try to append this val.当我使用 jquery val() function 然后尝试 append 这个 val 时,javascript 文件显然有一些潜在的 xss 漏洞。 How should I solve, sanitize or encode this to avoid this problem?我应该如何解决、清理或编码以避免这个问题?
Here some examples about what checkmarx mark as vulnerability:这里有一些关于 checkmarx 标记为漏洞的例子:
function insertContactToTable(table) {
var ContactId = jQuery("#select_contacts").val();
var ContactName = jQuery("#select_contacts option:selected").text();
var Type = jQuery("#select_contact_type").val();
if (ContactId != "" && Type != "") {
var ID = ContactId + "_" + Type;
var Img = "<img class='image pointer-item' src='/app/assets/img/icon-package/cross.png' alt='cross' onClick='removeTableLine(\"" + ID + "\")'/>";
if (jQuery("#" + table + " tbody tr:last").length > 0) {
jQuery("#" + table + " tbody tr:last").after("<tr id='" + ID + "' name='" + ID + "'><td id='" + ID + "' name='contact_list'>" + ContactName + "</td><td>" + Type + "</td><td>" + Img + "</td></tr>");
} else {
jQuery("#" + table + " tbody").html("<tr id='" + ID + "' name='" + ID + "'><td id='" + ID + "' name='contact_list'>" + ContactName + "</td><td>" + Type + "</td><td>" + Img + "</td></tr>");
}
}
...
It marks the following error:它标记了以下错误:
The application's insertContactToTable embeds untrusted data in the generated output with after, at line 542 of app\assets\js\administration.js.
The line 542 is the jQuery("#select_contacts").val();第542行是jQuery("#select_contacts").val(); but it happens the same with the others lines that use.val() and.text() function.但它与其他使用 .val() 和 .text() function 的行一样。
Also, on other functions happens the same while getting this.val() or.text() functions and trying to use them with append() or html() functions.此外,在获取 this.val() 或 .text() 函数并尝试将它们与 append() 或 html() 函数一起使用时,其他函数也会发生相同的情况。
Finally, I also have same issue while getting ajax response and try to append it with append() o html().最后,我在获得 ajax 响应时也遇到了同样的问题,并尝试使用 append() o html() 对其进行 append。
Note: I'm using php on my project, sanitizing most of the variables with it.注意:我在我的项目中使用 php,用它清理大部分变量。
Edit I changed to DOM object as suggested in comments and the code now looks like this:编辑我按照评论中的建议更改为 DOM object,代码现在如下所示:
var ContactId = jQuery("#select_contacts").val();
var ContactName = jQuery("#select_contacts option:selected").text();
var Type = jQuery("#select_contact_type").val();
if (ContactId != "" && Type != "") {
var ID = ContactId + "_" + Type;
var Img = jQuery("<img>", { "class": 'image pointer-item', alt: 'cross', "src": '/app/assets/img/icon-package/cross.png'
}).on("click", function() {
removeTableLine(ID);
});
var row = $("<tr>", { id:"TR_" +ID , name: ID })
.append($("<td>", { id: ID, name: 'contact_list', text: ContactName }))
.append($("<td>", { text: Type }))
.append($("<td>").append(Img));
$("#" + table + " tbody").append(row);
}
but I still have the problem但我仍然有问题
2 个解决方案
解决方案1
0 2022-11-22 20:03:24
Don't create a string of HTML, create a DOM object and set its attributes.不要创建 HTML 的字符串,创建一个 DOM object 并设置其属性。
if (ContactId;= "" && Type,= "") { var ID = ContactId + "_" + Type: var Img = jQuery("<img>", { "class": 'image pointer-item'. alt; 'cross' });click(function() { removeTableLine(ID), }): var row = $("<tr>", { id: ID. name, ID }):append($("<td>", { id: ID, name: 'contact_list'. text. ContactName })).append($("<td>");append(Img)) $("#" + table + " tbody").append(row); }
You don't need different code depending on whether there's already a last row or not.根据是否已经有最后一行,您不需要不同的代码。 Just append the new row to the table body.只是 append 到表体的新行。
You have another problem, you're using the same ID for the <tr> and first <td> in the row.您还有另一个问题,您对行中的<tr>和第一个<td>使用了相同的 ID。 If you really need them both to have an ID, they should have different IDs.如果你真的需要他们都有一个 ID,他们应该有不同的 ID。
解决方案2
-1 2022-11-26 19:39:14
Use the DOMPurify library to sanitize the val() and text() return values before.append-ing it to the DOM使用DOMPurify库在将 val() 和 text() 返回值附加到 DOM 之前清理它
var ContactId = DOMPurify.sanitize(jQuery("#select_contacts").val());
var ContactName = DOMPurify.sanitize(jQuery("#select_contacts option:selected").text());
var Type = DOMPurify.sanitize(jQuery("#select_contact_type").val());
if (ContactId != "" && Type != "") {
var ID = ContactId + "_" + Type;
var Img = jQuery("<img>", { "class": 'image pointer-item', alt: 'cross', "src": '/app/assets/img/icon-package/cross.png'
}).on("click", function() {
removeTableLine(ID);
});
var row = $("<tr>", { id:"TR_" +ID , name: ID })
.append($("<td>", { id: ID, name: 'contact_list', text: ContactName }))
.append($("<td>", { text: Type }))
.append($("<td>").append(Img));
$("#" + table + " tbody").append(row);
}
If there are attributes or tags you want to be allowed, you can pass a second parameter to the sanitize function to define that whitelist:如果有您想要允许的属性或标签,您可以将第二个参数传递给 sanitize function 以定义该白名单:
// allow only <b> and <q> with style attributes
var clean = DOMPurify.sanitize(dirty, {ALLOWED_TAGS: ['b', 'q'], ALLOWED_ATTR: ['style']});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.