Security risks from user-submitted HTML
I am using a contentEditable div that allows users to edit the body HTML and then post it directly to site using an AJAX request. Naturally, I have to do some security checks o
-
Yes and yes.
There are A LOT of ways for users to inject scripts without script tags.
They can do it in JS handlers
They can do it in hrefs
Click me fool!!They can do it from an external source
They can do it in ALL SORTS of ways.
I am afraid that the idea of allowing users to do this is just not a good one. Look at using Wiki markup/down instead. It'll be much safer.
加载中...
- 热议问题