堆栈内存溢出
  简体   繁体   English

如何防止针对keyup()jQuery事件的XSS?

[英]How can I prevent XSS for an keyup() jQuery event?

 原文  2012-04-13 03:47:24       javascript/ jquery/ xss

问题描述

I am making a form with an keyup() event: every character the user types is immediately displayed into another div on the same page. 我正在用keyup()事件制作表单:用户键入的每个字符都会立即显示在同一页面上的另一个div中。

It's vulnerable to XSS. 它容易受到XSS的攻击。 How can I secure it using jQuery? 如何使用jQuery保护它?

Note: In my forms, I am using latin alphanumeric characters only, as well as commas, semi-colons, colons. 注意:在表单中,我仅使用拉丁字母数字字符以及逗号,分号,冒号。

I have searched the "Reform" tool from OWASP but is there a way that's better? 我已经从OWASP搜索了“改革”工具,但是有没有更好的方法?

Thanks in advance. 提前致谢。 Regards 问候

2 个解决方案

解决方案1
 3 已采纳  2012-04-13 03:53:39

With the few details available: remember that you don't have to use jQuery's HTML "parsing" for everything. 提供一些细节:请记住,您不必为所有内容使用jQuery的HTML“解析”。 Instead of using .html() , use DOM manipulations and .text() (which are also usually faster). 除了使用.html() ,还可以使用DOM操作和.text() (通常也更快)。 For example, this: 例如,这: 

$('#result').html('<span class="whatever">' + someInput + '</span>');

would become this: 会变成这样: 

$('#result').text($('<span>').addClass('whatever').text(someInput));

If that's not possible, you can also do flawless HTML escaping by setting with .text() and then fetching it with .html() . 如果不可能,也可以通过设置.text()然后使用.html()进行完美的HTML转义。 For example, this: 例如,这: 

var data = 'This text: **is bold**';

$('#result').html(data.replace(/\*\*(.+?)\*\*/g, '<b>$1</b>'));

would become this: 会变成这样: 

var data = 'This text: **is bold**';

$('#result').html(data.replace(/\*\*(.+?)\*\*/g, function(x) {
    return '<b>' + $('<div>').text(x).html() + '</b>';
}));

解决方案2
 1  2012-04-13 03:55:22

I've found the xss cleaner included in node-validator to be comprehensive. 我发现node-validator包含的xss清洁程序很全面。 The code you're interested in is available here . 您感兴趣的代码在这里 You'll need to clean it up a little to use in the browser (remove the module.exports and wrap in a Javascript closure instead) but it should work pretty seamlessly. 您需要对其进行一些清理,以便在浏览器中使用(删除module.exports并包装为Javascript闭包),但是它应该可以无缝运行。 If you wanted to, you could make it directly into a JQuery plug-in as well. 如果愿意,也可以直接将其添加到JQuery插件中。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在jQuery中保留keyup事件的第一个原始值 - How can I preserve first original value on keyup event in jQuery 如何在jQuery中阻止keyup()事件一秒钟? - How can I block the keyup() event for a second in jQuery? 在 javascript 中按键后,我可以防止按键事件吗? - Can I prevent keyup event after a keydown in javascript? 从输入中删除字符时,如何防止keyup事件触发两次? - How can I prevent the keyup event fires twice when remove a character from input? 如何让&#39;keydown&#39;事件阻止&#39;keyup&#39;事件? - how can i make a 'keydown' event block a 'keyup' event? Javascript:防止keyUp事件 - Javascript: prevent keyUp event 如何使用“ contenteditable 1”的val通过“ keyup”事件更新“ contenteditable 2”? - How can I use val of “contenteditable 1” to update “contenteditable 2” with “keyup” event? jquery - 如何转义 html 以防止 XSS? - jquery - how to escape html to prevent XSS? 如何在IE8中生成具有特定键码的键盘事件? - How can I generate a keyup event with a specific keycode in IE8? jQuery:如何防止内部div中的click事件 - jquery: How can I prevent click event in the inner div
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM