Home > Web Front-end > HTML Tutorial > A brief discussion on html escaping and methods to prevent javascript injection attacks

A brief discussion on html escaping and methods to prevent javascript injection attacks

不言
Release: 2018-06-05 14:32:31
Original
2315 people have browsed it

The following editor will bring you a brief discussion on HTML escaping and methods to prevent JavaScript injection attacks. The editor thinks it’s pretty good, so I’ll share it with you now and give it as a reference. Let’s follow the editor and take a look.

Sometimes there will be an input box on the page. After the user inputs the content, it will be displayed on the page, similar to a web chat application. If the user enters a js script, the ratio is: <script>alert('test');</script>, a dialog box will pop up on the page, or if the input script contains code that changes the js variables of the page, the program will be interrupted. Exception or to achieve the purpose of skipping certain verification. So how to prevent this kind of malicious js script attack? This problem can be solved by html escaping.

1: What is html escaping?

html escaping is to convert special characters or html tags into their corresponding characters. For example: < will be escaped to <> or escaped to > like "<script>alert('test');</script>" this character will be escaped to: "<script> alert('test');</script>" when displayed again, the page will parse < into <, > into >, thus restoring the user's real input. What is ultimately displayed on the page is still "< ;script>alert('test');", which avoids js injection attacks and truly displays user input.

2: How to escape?

1. Implemented through js

//转义 元素的innerHTML内容即为转义后的字符
function htmlEncode ( str ) {
 var ele = document.createElement(&#39;span&#39;);
 ele.appendChild( document.createTextNode( str ) );
 return ele.innerHTML;
}

//解析 
function htmlDecode ( str ) {
 var ele = document.createElement(&#39;span&#39;);
 ele.innerHTML = str;
 return ele.textContent;
}
Copy after login

2. Implemented through jquery

function htmlEncodeJQ ( str ) {
  return $(&#39;<span/>&#39;).text( str ).html();
}

function htmlDecodeJQ ( str ) {
  return $(&#39;<span/>&#39;).html( str ).text();
}
Copy after login

3. Use

var msg=htmlEncodeJQ(&#39;<script>alert(&#39;test&#39;);</script>&#39;);

$(&#39;body&#39;).append(msg);
Copy after login

It is recommended to use jquery for better compatibility.

The above is the detailed content of A brief discussion on html escaping and methods to prevent javascript injection attacks. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template