daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update cross-site-scripting.md (#19860)

pull/19858/head
Rick Anderson 2020-09-14 12:37:36 -10:00 committed by GitHub
parent 6d29ce9d75
commit 32890f1a34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
aspnetcore/security/cross-site-scripting.md
View File

@ -77,17 +77,18 @@ There may be times you want to insert a value into JavaScript to process in your
injectedData.dataset.untrustedinput; injectedData.dataset.untrustedinput;
// Put the injected, untrusted data into the scriptedWrite div tag. // Put the injected, untrusted data into the scriptedWrite div tag.
// Do NOT use document.write() on text sourced from attributes as // Do NOT use document.write() on dynamically generated data as it
// unicode escapes will be unescape in document.write() which can lead to XSS. // can lead to XSS.
document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle; document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle;
// Or you can use createElement() to dynamically create document elements // Or you can use createElement() to dynamically create document elements
// This time we're using textContent to ensure the data is not unescaped. // This time we're using textContent to ensure the data is properly encoded.
var x = document.createElement("div"); var x = document.createElement("div");
x.textContent = clientSideUntrustedInputHtml5; x.textContent = clientSideUntrustedInputHtml5;
document.body.appendChild(x); document.body.appendChild(x);
// You can also use createTextNode on an element to ensure data is not unescaped. // You can also use createTextNode on an element to ensure data is properly encoded.
var y = document.createElement("div"); var y = document.createElement("div");
y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5)); y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5));
document.body.appendChild(y); document.body.appendChild(y);
@ -116,17 +117,18 @@ The preceding markup generates the following HTML:
injectedData.dataset.untrustedinput; injectedData.dataset.untrustedinput;
// Put the injected, untrusted data into the scriptedWrite div tag. // Put the injected, untrusted data into the scriptedWrite div tag.
// Do NOT use document.write() on text sourced from attributes as // Do NOT use document.write() on dynamically generated data as it can
// unicode escapes will be unescape in document.write() which can lead to XSS. // lead to XSS.
document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle; document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle;
// Or you can use createElement() to dynamically create document elements // Or you can use createElement() to dynamically create document elements
// This time we're using textContent to ensure the data is not unescaped. // This time we're using textContent to ensure the data is properly encoded.
var x = document.createElement("div"); var x = document.createElement("div");
x.textContent = clientSideUntrustedInputHtml5; x.textContent = clientSideUntrustedInputHtml5;
document.body.appendChild(x); document.body.appendChild(x);
// You can also use createTextNode on an element to ensure data is not unescaped. // You can also use createTextNode on an element to ensure data is properly encoded.
var y = document.createElement("div"); var y = document.createElement("div");
y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5)); y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5));
document.body.appendChild(y); document.body.appendChild(y);
@ -143,7 +145,7 @@ The preceding code generates the following output:
``` ```
>[!WARNING] >[!WARNING]
> Do ***NOT*** concatenate untrusted input in JavaScript to create DOM elements or use `document.write()` on data sourced from attributes. > Do ***NOT*** concatenate untrusted input in JavaScript to create DOM elements or use `document.write()` on dynamically generated content.
> >
> Use one of the following approaches to prevent code from being exposed to DOM-based XSS: > Use one of the following approaches to prevent code from being exposed to DOM-based XSS:
> * `createElement()` and assign property values with appropriate methods or properties such as `node.textContent=` or node.InnerText=`. > * `createElement()` and assign property values with appropriate methods or properties such as `node.textContent=` or node.InnerText=`.