stackoom
  简体   繁体   中英

EncodeUri Function in JavaScript

 原文  2015-05-11 15:41:57       javascript/ jquery

Question

I am generating a search output based on a user query and generating search result pages like this 

location.href = root_url + "SearchCenter/Pages/internal.aspx" + "?q=" + st

I am looking into protecting against XSS attacks.

I am using encodeURI to protect against the attack with 

encodeURI("http://Server.com/SearchCenter/Pages/internal.aspx?q=<script>alert('dd')</script>)"

which outputs 

http://server.com/SearchCenter/Pages/internal.aspx?q=%3Cscript%3Ealert('dd')%3C/script%3E)

Now what if instead of tag they enter JavaScript:Alert('dd') which encodeURI would not protect against.

So my question is that is there any JS library or function that I can use to protect against URL XSS attacks.

1 answers

solution1
 2 ACCPTED  2015-05-11 15:46:34

You should solve this server side. Never trust the client so whatever it sends should be vetted on the server before being rendered in the HTML. So accept whatever they send and use a server component to make sure that whatever gets outputted is safe.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question javascript encodeURI() output Javascript: encodeURI() / encodeURIComponent() charset reverse function to encodeURI() Javascript encodeURI returns unexpected value Issue with javascript escape, encodeURI and encodeURIComponent escape string (% character) in encodeURI in JavaScript passing special characters with encodeURI in javascript Javascript encodeURI not work well with csv How to handle non-English words (words of Arabic, Spanish and Urdu) in escape/encodeURI function of Javascript Javascript - encodeURI() returing different results in different browsers
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM