Secure way of inserting dynamic values in external JavaScript files

前端未结

关注

 1  1017

独厮守ぢ 2020-12-06 17:30

I\'m implementing Content Security Policy headers using the following policy

Content-Security-Policy: default-src \'self\'

so will need to avoid

1条回答

失恋的感觉 (楼主)

2020-12-06 18:18
$('#@ViewData.TemplateInfo.GetFullHtmlFieldName(string.Empty)')

Yeah this isn't a good approach in general. Razor will HTML-escape by default but the context isn't simply HTML here, it's:
- an identifier, inside
- a CSS selector, inside
- a JavaScript string literal, inside
- a JavaScript statement, inside
- an HTML CDATA element (