问题
This is a spin-off from the comments here.
I'm using SquareSpace to build my site, and for some things I like to use their HTML code blocks directly within the page, and include some JavaScript within that (in a <script></script>) block. The problem is that SquareSpace's AJAX loading inserts that script node as innerHTML to the code div, so the script doesn't get executed.
So I've added some site-wide code that detects newly inserted SquareSpace code blocks, looks for a <script> node within them, and then re-inserts the script node (using this code) to execute it. This is what my JavaScript with JQuery code looks like:
$(document).bind("DOMNodeInserted",function(e){
var script_nodes = $(e.target).find(".sqs-block-code").find("script");
script_nodes.each(function() {
var s = document.createElement('script');
s.type = 'text/javascript';
var code = this.textContent;
try {
s.appendChild(document.createTextNode(code));
$(this).after($(s));
} catch (e) {
s.text = code;
$(this).after($(s));
}
$(this).remove();
});
});
My question is whether this adds a security risk (especially XSS). I thought that maybe it doesn't have additional risk, because if an attacker could get a <script> node inserted in the first place, then bets are off anyway?
来源:https://stackoverflow.com/questions/58960105/is-it-safe-to-re-execute-an-inserted-script-node