英文:
Evaluating security of my escape function with XSS
问题
Your JavaScript function appears to be an attempt to escape certain characters to prevent XSS attacks. However, there is a potential issue with the regular expression used for replacement. Instead of using .replace(/./g, ...), you should consider using .replace(/[&<>]/g, ...) to specifically target the characters that need escaping to enhance security. Additionally, XSS attacks can be quite complex, and it's generally safer to rely on established libraries or frameworks for input sanitization and escaping.
英文:
I made a javascript function that takes an input and escapes it, returning a div string with the text as an example. Is this escape function susceptible to XSS attacks, and if so, what is the issue?
function escape(s) {
s = s.toString()
if (s.length > 100) { throw new Error("Too long!") }
s = s.replace(/./g, function(x) {
return { '<': '&lt;', '>': '&gt;', '&': '&amp'}[x] || x;
});
if (s.match("prompt") || s.match("alert")) { throw new Error("XSS caught") }
return "<div>"+s+"</div>"
}
No errors, I would just like to know if my function is vulnerable
答案1
得分: 1
我可以识别出一些问题。还有其他字符,你应该尝试屏蔽,如双引号、单引号和反引号。检查字符串长度是良好的做法,但你仍然可以使用较短的长度创建恶意代码。最后,你正在检查他们是否使用“prompt”或“alert”。可以混淆代码以绕过此检查。
英文:
I can identity a few issues. There are other characters you should try to block like double quotes, single quotes, and back-ticks. Checking the string length is good practice but you can still make malicious code with shorter length. Finally, you are checking if they are using "prompt" or "alert". It is possible to obfuscate code to pass this.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论