網(wǎng)頁防止xss攻擊的方法:
實現(xiàn)過濾器對特殊字符進行轉(zhuǎn)義過濾,例如:
function filter(xss) {
var whiteList = ['h1', 'h2']; // 白名單
var translateMap = { '<': '<', '>': '>' };
return xss.replace(/<\/?(.*?)>/g, function(str, $1, index, origin) {
console.log($1);
if (whiteList.indexOf($1) >= 0) {
return str;
}
return str.replace(/[<>]/g, function(str) {
return translateMap[str];
});
});
}
var search = location.search;
var query = search.slice(1);
var params = query.split('&').map(function(str) {
var list = str.split('=');
var key = list[0];
var val = list[1];
return { key: decodeURIComponent(key), val: decodeURIComponent(val) };
});
console.log(params);
var xss;
params.some(function(item) {
xss = item.val;
return true;
});
console.log(xss);
console.log(filter(xss));
document.open();
document.write(xss);
document.write(filter(xss));
document.close();
//eg http://127.0.0.1:8080/?xss=<script>alert(1)</script><h1><h2>1233</h2></h1>