XSS攻击是什么
通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。
盗用cookie,获取敏感信息等
防止 xxs攻击
当你点击获取 textarea 的内容插入 dom结构时 textarea 的内容包含用户插入的js脚本
阻止方法
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.0.3/purify.min.js"></script>
<style>
.add{
display: block;
padding: 5px 20px;
background-color: aquamarine;
outline: none;
border-radius: 2px;
border-width: 1px;
cursor: pointer
}
.textarea{
width: 300px;
height: 150px;
}
.response{
width: 300px;
}
.res-header{
color: #2ae2b8;
padding: 10px 0;
border-bottom:1px solid gray;
}
.res-body{
margin-top: 10px;
text-indent: 20px;
}
</style>
</head>
<body>
<div class="com">
<div>
<textarea class="textarea" name="" id=""></textarea>
<button class="add">add</button>
</div>
<div class="response"></div>
<!-- <img src="https://cdn4.buysellads.net/uu/1/3386/1525189943-38523.png" alt="" onload="alert('attack')"> -->
</div>
<script>
const texta = document.getElementsByClassName('textarea')[0],
add = document.getElementsByClassName('add')[0],
response = document.getElementsByClassName('response')[0],
user = 'Hello';
function sanitize(strs, ...args){
const dirty = strs.reduce((prev, curr, i)=> `${prev}${curr}${args[i] || ''} `,'')
return DOMPurify.sanitize(dirty)
}
add.addEventListener('click',function(e){
e.preventDefault();
const text = texta.value.trim();
if(text){
response.innerHTML = sanitize`
<div class="res-header">${user}</div>
<div class="res-body">${texta.value}</div>
`
}
},false)
</script>
</body>
</html>
然后用户输入的脚本就不会执行