'innerText' 是否可以防止 XSS?
Does 'innerText' prevent XSS?
如果我要在我的网站上显示用户生成的输入,仅通过在 javascript 中执行 Element.innerText = "user input" 来显示它是否足够安全,或者我是否需要额外过滤输入以防止 XSS?
Does 'innerText' prevent XSS?
并非在所有情况下! following excerpt is from the OWASP Foundation regarding unsafe usages of innerText:
One example of an attribute which is thought to be safe is innerText. Some papers or guides advocate its use as an alternative to innerHTML to mitigate against XSS in innerHTML. However, depending on the tag which innerText is applied, code can be executed.
内容提供了以下示例(为清楚起见,我对其进行了修改)
const tag = document.createElement("script");
tag.innerText = `console.log('Inner Text Used')`;
document.body.appendChild(tag); //executes code
然而,在大多数情况下,innerText 是您用来防止 XSS 的方法,也是 documented on OWASP:
... use innerText/textContent. This will solve the problem, and it is the right way to re-mediate DOM based XSS vulnerabilities
如果我要在我的网站上显示用户生成的输入,仅通过在 javascript 中执行 Element.innerText = "user input" 来显示它是否足够安全,或者我是否需要额外过滤输入以防止 XSS?
Does 'innerText' prevent XSS?
并非在所有情况下! following excerpt is from the OWASP Foundation regarding unsafe usages of innerText:
One example of an attribute which is thought to be safe is innerText. Some papers or guides advocate its use as an alternative to innerHTML to mitigate against XSS in innerHTML. However, depending on the tag which innerText is applied, code can be executed.
内容提供了以下示例(为清楚起见,我对其进行了修改)
const tag = document.createElement("script");
tag.innerText = `console.log('Inner Text Used')`;
document.body.appendChild(tag); //executes code
然而,在大多数情况下,innerText 是您用来防止 XSS 的方法,也是 documented on OWASP:
... use innerText/textContent. This will solve the problem, and it is the right way to re-mediate DOM based XSS vulnerabilities