stackoom
  简体   繁体   中英

What is “Escaped” & “Unescaped” output

 原文  2013-12-22 09:19:08       javascript/ node.js/ coffeescript

Question

I'm not familiar with Javascript

Learning template node.js template engine, it has "Escaped" & "Unescaped" output

What actually is "Escaped" & "Unescaped" output?

Is it like "include once" & "include"?

(Google giving no result about this)

2 answers

solution1
 17 ACCPTED  2013-12-22 09:21:29

Escaping and unescaping are useful to prevent Cross Site Scripting (XSS) attack. It is one of the common web attacks, since it will be easy to create an attack vector if the site is not designed carefully. Its ranked number 3 in the OWASP's Top 10 vulnerabilities of 2013 .

The main intention is to, NOT to let the browser execute or interpret the HTTP response in a different way than intended.

For example, lets say you have a web page which accepts the user to enter his address and you want the user to confirm it in the next page. So, you are getting the address entered by the user and displaying it in the next page. If the user enters a valid address, it will not be a problem. What if the user enters something like this 

<script>
    alert("Welcome");
</script>

Your next page will simply produce an alert box saying Welcome . Now, consider this case. You are writing a blogging application, and the user enters the above seen script in the text box provided. You ll be storing it in DB and whoever wants to see your blog will get to see that alert box. Worst thing is, if the attacker puts that in an infinite loop, whoever visits that blog will not be able to read the content at all.

This is just one of the basic attacks, which is possible if you don't escape the text.

So, normally, the text user entered will be escaped and then stored in DB. For example, the above seen attack vector (the script tag thing) will become like this, after HTML escaping 

&lt;script&gt;<br/>        alert(&quot;Welcome&quot;);<br/>&lt;/script&gt;

Now, browser will not consider this as a script element but a HTML element, so it will display it as 

<script>
    alert("Welcome");
</script>

instead of executing it.

solution2
 0  2013-12-22 09:22:41

Escape: This function encodes special characters, with the exception of: * @ - _ + . / http://www.w3schools.com/jsref/jsref_escape.asp

Unescape: The unescape() function decodes an encoded string. http://www.w3schools.com/jsref/jsref_unescape.asp

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Writing an escaped/unescaped Observable in Knockout Escaped html is again unescaped in jquery html method xml twig: output unescaped text rails 3 escaped html tags unescaped in browser when served as JSON Escaped html characters are being unescaped by jquery .html() in some browsers Comparing escaped data with select box's unescaped value in JavaScript? Jquery - tag attribute with escaped html gets unescaped automatically javascript escaped string is not getting unescaped with c# regex.Unescape() Meaning of escaped and unescaped value in context of ejs templating engine? How can escaped strings such as '\\n' be converted to their unescaped ('\n') character counterparts in Javascript?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM