HTML
导入代码模板:
XSS vulnerabilities in jQuery DOM methods
Input
Output (native innerHTML
)
The HTML5 spec states that script tags inserted via innerHTML
will not be executed.
Injection goes here...
Output ($.html()
)
jQuery DOM methods strip and eval()
any script tags passed in, exposing an XSS vulnerability.
Injection goes here...
Output ($.text()
)
This method treats the passed string as a textNode, preventing it from being executed by the browser.
Injection goes here...