during the Tencent interview the day before yesterday, I was asked a question: XSS attack is it safe to use input Filter and output transcoding with httponly ? (you"d better paste the code and give chestnut instructions, thank you)
during the Tencent interview the day before yesterday, I was asked a question: XSS attack is it safe to use input Filter and output transcoding with httponly ? (you"d better paste the code and give chestnut instructions, thank you)
if there is something like a html editor on the page, you need to drop some tags and attributes on Filter, such as < link >, < script > < iframe > tags, element events, image onerror and so on.
link changes the style. Script tags can introduce harmful js. Element events and some attributes have the ability to execute js code (such as the onerror attribute of img)
for example,
< script src= " http://a/danger.js";> http://danger.com'">
Brother Meituan recently released a column against XSS attacks. You can take a look. It is clear that XSS has no absolute defense method. It can only be said that through the cooperation of the front and back ends of their own code specifications to avoid XSS attacks. I hope you can read that article is very nutritious, I also have a collection of specific methods to prevent XSS. I hope it will be of some help to you.
Previous: Springcloud Fegin Get will be automatically converted to Post
Next: Make the event on the mobile side become the event on the PC side