One of the most common errors is HTML injection, allowing third parties to inject JavaScript into your security context. That allows an attacker to control what a user does on your site, completely breaking account security.

最常见的错误之一是 HTML 注入，允许第三方将 JavaScript 注入您的安全上下文。这允许攻击者控制用户在您网站上的行为，从而完全破坏帐户安全。

Whilst there has been some slow progress trying to get web authors to remember to HTML-encode strings they output into web pages at the server side (eg htmlspecialcharsin PHP), a new generation of webapps are using the same dumb string-concatenation hacks to create content at the client-side using JavaScript:

虽然在试图让网络作者记住将他们输出到服务器端（例如htmlspecialchars在 PHP 中）的网页中的字符串进行 HTML 编码方面取得了一些缓慢的进展，但新一代的网络应用程序正在使用相同的愚蠢的字符串连接技巧来创建使用 JavaScript 的客户端内容：

somediv.innerHTML= '<p>Hello, '+name+'</p>';

often using jQuery:

经常使用jQuery：

$('table').append('<tr title="'+row.title+'"><td>'+row.description+'</td></tr>');

This is just as vulnerable as server-side HTML injection and authors really need to stop building content this way. You canHTML-encode text content at the client side, but since JS doesn't have a built-in HTML encoder you'd have to do it yourself:

这与服务器端 HTML 注入一样容易受到攻击，作者真的需要停止以这种方式构建内容。您可以在客户端对文本内容进行 HTML 编码，但由于 JS 没有内置的 HTML 编码器，因此您必须自己进行：

function encodeHTML(s) {
    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
}

somediv.innerHTML= '<p>Hello, '+encodeHTML(name)+'</p>';

However it's usually much better to use the available DOM methods and properties that obviate the need for escaping:

然而，使用不需要转义的可用 DOM 方法和属性通常会更好：

var p= document.createElement('p');
p.appendChild(document.createTextNode('Hello, '+name);

and with jQuery use attr(), text()and the creation shortcuts:

与jQuery的使用attr()，text()并建立快捷方式：

$('table').append(
    $('<tr>', {title: row.title}).append(
        $('<td>', {text: row.description})
    )
);

Javascript runs on the client side so the biggest risk is for the client. An example of a risk is that their cookie could be stolen so that another user can impersonate them. A common method of attack is to inject Javascriptinto the page via a form submission. To prevent this you should ensure that you always properly escape HTML output.

Javascript 在客户端运行，因此最大的风险在于客户端。风险的一个例子是他们的 cookie 可能被盗，以便其他用户可以冒充他们。一种常见的攻击方法是通过表单提交将 Javascript注入页面。为了防止这种情况，您应该确保始终正确转义 HTML 输出。

Your server side security should notdepend on the security of the Javascript. You should assume that your attacker can and will change the HTML/CSS/Javascript on your pages to try to view information that is not normally visible, and they will send data to your server that shouldn't be possible to send via the normal interface. To protect against this you should always validate all user inputs - treat it as completely untrusted data. Don't rely on assumptions about the content your users will send you - always explicitly check the assumptions you require to be true.

你的服务器端的安全性应该不依赖于JavaScript的安全。您应该假设您的攻击者可以并且将会更改您页面上的 HTML/CSS/Javascript 以尝试查看通常不可见的信息，并且他们会将数据发送到您的服务器，而这些数据不应通过正常界面发送. 为了防止这种情况，您应该始终验证所有用户输入 - 将其视为完全不受信任的数据。不要依赖关于用户将向您发送的内容的假设 - 始终明确检查您需要的假设是否正确。

There are no risks. Just possible programmer's errors. One error I can think of is to forget to url encode parameters sent to the server and it gets the wrong values. But the real security risk is in the server side code, not javascript.

没有风险。只是可能的程序员错误。我能想到的一个错误是忘记 url 编码发送到服务器的参数，它得到了错误的值。但真正的安全风险在于服务器端代码，而不是 javascript。