开发者

Protect JQuery code against XSS

开发者 https://www.devze.com 2023-01-05 05:19 出处:网络
I am working on an HTML form that posts the data to a URL. I am also using Jquery to get query string parameters and add them to the data I post to the URL. Is there any way to protect against XSS att

I am working on an HTML form that posts the data to a URL. I am also using Jquery to get query string parameters and add them to the data I post to the URL. Is there any way to protect against XSS attacks? Any HTML encoding plugins o开发者_开发问答r built-in functions?


The answer of jigfox is not 100% right. Sometimes, you could use data from the URL directly in JavaScript. Even if you sanitize a link server side, it doesn't mean that another website can't link to your Website using a malicious URL.

I use this URL to proof check my Websites: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet


Protecting jQuery code against XSS is very hard, because so many jQUery functions/methods are XSS sinks. See this question as an example.

When writing plain JavaScript, you must be careful what changes are made to the DOM and what you pass to "eval()", "new Function()", "setTimeout()" and "setInterval()".

When writing jQuery code you must additionaly be careful what you pass to the following functions time because they may call eval() or make change to the DOM:

  • jQuery()
  • $()
  • .after()
  • .append()
  • .appendTo()
  • .before()
  • .html()
  • .insertAfter()
  • .insertBefore()
  • .parseHTML()
  • .prepend()
  • .prependTo()
  • .replaceWith()
  • .wrap()
  • .wrapAll()
  • .wrapInner()

As soon as you pass a string you do not control to any of these functions, there is a risk of XSS.

Moreover, this list might not be complete. This is only what I came up with by doing a quick search through the jQuery code.


You can't protect jQuery from XSS. XSS vulnerability occur in your server software. Take look at Exploit_scenarios for a better understanding how XSS works.

A website that outputs data that is user generated has possible XSS vulnerability if it outputs the user generated content unfiltered, because then the user can create a <script/> tag with malicious code. But you need to filter this on the server before sending to the client (browser).

0

精彩评论

暂无评论...
验证码 换一张
取 消