Avoid cross-site scripting (XSS) in vue toasted notification title
Question
I use vue-toasted when inject js code ex. "><img src=1 onerror=prompt(document.cookie);> in input and click submit.
Notification show like that: and popup show with cookie :/ .
and console.log(response.data.message); show:
Created Site ""><img src=1 onerror=prompt(document.cookie);>" successfully!
vue is escaping html but toasted is not, here is the code:
handleFormSubmit: function(response) {
this.showAddSiteModal = false;
if (response.data.status === 'success')
{
console.log(response.data.message);
this.$toasted.success(response.data.message); //<<< problem here
this.addSite(response.data.site);
}
else
{
this.$toasted.error(response.data.message);
}
},
1 answers
solution1
-1 2018-04-10 20:39:59
在php端使用htmlspecialchars() 。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Cross-site Scripting (XSS) using a hyphen
C# MVC Cross-Site Scripting (XSS) Prevention
How to prevent our URL from Cross-site scripting (XSS)?
i am getting warning Cross-site Scripting (XSS) with innerHTML
call to innerHTML contains a cross-site scripting (XSS)
Fortify scan issue for (XSS) Cross-Site Scripting: DOM
Getting reflected Cross-Site Scripting (XSS) attack in node js
JavaScript, This can enable a Reflected Cross-Site Scripting (XSS) attack
cross-site scripting
Cross site scripting (XSS) possible?
Related Tags