发表新帖
发表新帖

Is it secure to use [removed].href directly without validation

前端 未结
关注
3 775
情深已故
情深已故 2020-12-09 05:04

Is it secure to use window.location.href without any validation?

For example:
3条回答
  • 借酒劲吻你
    借酒劲吻你 (楼主)
    2020-12-09 05:24

    A XSS is not possible under #1

    The worst case I can think of is someone using that for Social Engineering (lets say your domain is really popular like Ebay or Amazon), what an attacker could do is craft a message saying something like "Amazon/Ebay free stuff for you, just go to http://haxor.site" using the URL and sending it to someone.

    But still I don't find it dangerous, because of the URL encoding the message would look pretty messy.

    EDIT: This only answer #1, since when I answered this question there wasn't a "#2"

    0 讨论(0)
 看不清?
提交回复
热议问题