I am implementing a so-called single-page application that accepts JSON as input. This also means that all HTML is displayed in the browser, also all templates (I use knockout) are apparently not affected by user input, in the sense that the template is not dynamically created by the backend, but is built in statically in the client. In other words, I have nothing of the kind:
echo '<input type="text" value="$var">'
Thus, any provision of user content essentially comes down to these JS methods:
document.createTextNode(userVar); // for displaying static text inputElement.value = userVar; // for populating input fields document.title = userVar; // some user input can be reflected in the doc title window.history.pushState = ... // no user input is set here directly, but there are URIs where this could be set using an outside link
So, now the question will be: are these methods safe for all 100% XSS? Or maybe there is some way to trigger an XSS attack - and if so, how can this be done?
, . document.createTextElement , DOM.
document.createTextElement
XSS-, script ( eval is evil) , <script>. , DOM , , .
<script>
, , .
JavaScript (XSS), , , . XSS , , , ( ) , .
, , XSS. , , -, .
, , , ( , ). , JavaScript, , ( ) , , .
JavaScript. , script 10 1 000 000 , , . Google Chrome .
Source: https://habr.com/ru/post/1598720/More articles:Detecting objects in uneven lighting in opencv C ++ - c ++unresolved external character error when connecting to OpenCV 3.0 - visual-c ++Import characters starting with underscore - pythonPHP Using Factory Template for SDK - phpКак найти, какой двигатель (драгоценный камень) обеспечивает маршрут - ruby-on-railsОкругление углов UITextField в ViewDidLoad влияет только на левые углы - iosopenmp: check if parallesim is nested - c ++Request parameters are not processed in Ring / Compojure - clojureHow to compile C code that uses kernel function in docker and use pci device in container? - c ++Sbt-plugin timeout resolution - scalaAll Articles