At work, the requirements of forms are quite large, and it is inevitable to encounter scenarios that require user input. In this case, XSS attacks are often ignored.

Here I recommend a link to briefly describe XSS and CSRF. The author introduces XSS in more detail, as well as some use cases, which can be understood through this, without too much explanation, everyone should know.

The front-end escape

Regular expressions are hard to escape from user input, and are useful only for validation

Share a very simple escape method

htmlEncode(str) {
        const div = document.createElement('div');
        div.appendChild(document.createTextNode(str));
        return div.innerHTML; // This step returns an escaped string, such as 
      

        -> < div>
      
    }
Copy the code

Yes, you read that right. Using innerHTML is as simple as adding a comma to three digits of a large number using toLocaleString(‘ en-us ‘)

const transform = num= > num.toLocaleString('en-US');

transform(31242535155715) / / "31242535155715"
Copy the code

Recommended by the library

Github.com/leizongmin/… This library is available on jsxss.com/zh/index.ht…

The back-end processing

Front-end source code visible, a lot of prevention measures can be bypassed, just add a small lock, the real prevention measures or let the back end to control.

I’ve been blogging on Wordfinch, so I switched to Nuggets for a try. The comments there are too few, but it’s relatively quiet and good for writing. Ha ha, -)