问题描述
我正在做 element.textContent = unescapedData
在网站上放置未转义的用户输入。攻击者有什么办法可以使用这种方式做坏事吗?
I'm doing element.textContent = unescapedData
to put unescaped user input on a website. Is there any way for an attacker to do something bad using this?
此外,攻击者是否有任何方式影响元素
(意思是在 30rem
之前由 3rem
框),如果它有以下css?
Also, is there any way for an attacker to affect the page outside of element
(meaning outside the 30rem
by 3rem
box) if it has the following css?
max-width: 30rem;
max-height: 3rem;
overflow: hidden;
我曾考虑过使用奇怪或无效的Unicode字符,但无法找到有关如何
I've thought about using weird or invalid Unicode characters, but couldn't find any information on how to accomplish this.
推荐答案
相关规范似乎位于。假设元素
是一个Element或DocumentFragment,则创建一个Text节点,并将其数据设置为 unescapedData
。
这个似乎是非常明确的,因为浏览器不会将Text节点渲染为除文本之外的任何内容。我没有跟踪规范。
The relevant spec seems to be at https://dom.spec.whatwg.org/#dom-node-textcontent. Assuming element
is an Element or DocumentFragment, a Text node is created and its data is set to the string unescapedData
.And this Is a DOM Text Node guaranteed to not be interpreted as HTML? seems pretty definitive that a browser won't render a Text node as anything but text. I haven't tracked that down in the spec yet.
所以,除非浏览器有缺陷,答案是否和否。
So, unless the browser is defective, the answers are "no" and "no".
这篇关于.textContent是否完全安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!