stackoom
  简体   繁体   中英

Preventing XSS when using .attr('href', url) in jQuery

 原文  2015-11-19 14:10:12       javascript/ jquery/ security/ xss/ code-injection

Question

I want to update the href tag in jQuery. The data is untrusted. I'm trying to understand how can I craft a malicious input to cause an XSS type attack. 

<a href='http://example.com' class='link'>Link</a>

My understanding is that the function below should terminate the href tag unexpectedly and create a new attribute onclick , but it doesn't work. 

$('.link').on('click', function(e){
    e.preventDefault();
    $(this).attr('href',"' onclick='alert(\"ok\")'");    
});

Here's the fiddle : http://jsfiddle.net/c1d7tuda/1/

PS End goal is to use _.escape() for HTML entities, but want to justify its usage.

1 answers

solution1
 0  2015-11-19 19:57:00

If you're updating the href attribute of your link using unvalidated user input, a malicious user could supply javascript:alert(0) as their href value. Then, if a user clicked on the link, it would execute the malicious user's arbitrary javascript.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question generating link using Url.Action with jquery href attr jQuery addClass() not working when also using attr(“href”, something) Can using the HREF with jQuery be vulnerable to XSS? Replacing a href link using jQuery .attr How to apply to all href attr using jQuery Is jQuery .attr() method XSS safe? jQuery - Change href attr jquery get a href using attr() doesn't work jquery $(this).attr('href') returns undefined Try-catch when loading an url in iframe using jQuery's attr("src", url)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM