问题
Nowadays I am learning about web security, XSS, etc. As XSS basically targets a client-agent (web browser) by injecting some malicious code that is executed by the web browser as it was inserted by an authenticated user. Now the question is Why can't we have a tag in html that just shows literals and prevents the execution of anything inside it?
Something like:
<!-- The code below will not be executed and just treated as literal content by a web browser -->
<ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
</ltrl>
So if I would have something like this in html then it were shown as
<script type="text/javascript">alert('You have been xssed');</script>
in web browser.
回答1:
Suppose the contents of the text supplied by the attacker was:
</ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
<ltrl>
the total markup would be
<ltrl>
</ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
<ltrl>
</ltrl>
and your defence has been trivially breached.
来源:https://stackoverflow.com/questions/8692252/why-cant-we-have-some-antixss-literal-html-tag