Preventing XSS in Node.js / server side javascript

后端未结

关注

 8  1988

花落未央 2020-12-07 10:24

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed dat

8条回答

隐瞒了意图╮ (楼主)

2020-12-07 11:04
All usual techniques apply to node.js output as well, which means:
- Blacklists will not work.
- You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
- You're supposed to HTML-escape text in HTML output.
I'm not sure if node.js comes with some built-in for this, but something like that should do the job:
```
function htmlEscape(text) {
   return text.replace(/&/g, '&').
     replace(/
     replace(/"/g, '"').
     replace(/'/g, ''');
}
```
0 讨论(0)

查看其它8个回答
发布评论:

提交评论
- 加载中...