search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.2k stars 629 forks source link

怎么防御这种case #160

Closed ZH3FENG closed 5 years ago

ZH3FENG commented 5 years ago

URL:http://example.com/user/info?'-alert(99)-'

Node页面:

渲染后HTML页面:

alert(99)执行。

leizongmin commented 5 years ago

这个模块主要是针对HTML代码过滤一般的XSS漏洞,像你这个例子可能并不适用。建议自己针对性地写一些代码来过滤