What is XSS attack (paste Baidu)
XSS attack: XSS attack usually refers to the use of loopholes left in the development of web pages, through clever methods to inject malicious instruction code to the web page, users load and execute the attacker malicious web page program;
Second, solutions
-
Elegant solution: encode user input, escape special characters such as <, “, &, >, and let the browser display as a string.
// In artTemplete, XSS defends against escape. var escapeMap = {"<": "& # 60;".">": "The & # 62;".'"': "& # 34;"."'": "& # 39;"."&": "& # 38;" }; var escapeFn = function (s) { return escapeMap[s]; }; var escapeHTML = function (content) { returntoString(content) .replace(/&(? ! [\w#] +) |[<>"']/g, escapeFn); }; Copy the code -
Violent resolution: Only set the specificity of the text through the innerText/textContent.
function(value){ if(typeof value ! = ='string') {return value; } var str = value || ' ', temp = document.createElement ("div"), obj; (temp.textContent ! = undefined ) ? (temp.textContent = str) : (temp.innerText = str); obj = temp.innerHTML; temp = null;return obj; } Copy the code -
Third-party plug-ins github.com/leizongmin/…