问题
I'm doing element.textContent = unescapedData to put unescaped user input on a website. Is there any way for an attacker to do something bad using this?
Also, is there any way for an attacker to affect the page outside of element (meaning outside the 30rem by 3rem box) if it has the following css?
max-width: 30rem;
max-height: 3rem;
overflow: hidden;
I've thought about using weird or invalid Unicode characters, but couldn't find any information on how to accomplish this.
回答1:
The relevant spec seems to be at https://dom.spec.whatwg.org/#dom-node-textcontent. Assuming element is an Element or DocumentFragment, a Text node is created and its data is set to the string unescapedData.
And this Is a DOM Text Node guaranteed to not be interpreted as HTML? seems pretty definitive that a browser won't render a Text node as anything but text. I haven't tracked that down in the spec yet.
So, unless the browser is defective, the answers are "no" and "no".
回答2:
Plain text set at .textContent is not executable outside of script element where .type is set to text/javascript.
Would suggest using pattern attribute with appropriate RegEx at input element within form to address potential concerns.
来源:https://stackoverflow.com/questions/42987957/is-textcontent-completely-secure