javascript 什么是“转义”和“未转义”输出
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20727910/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is "Escaped" & "Unescaped" output
提问by apasajja
I'm not familiar with Javascript
我不熟悉 Javascript
Learning template node.js template engine, it has "Escaped" & "Unescaped" output
学习模板 node.js 模板引擎,它有“Escaped”和“Unescaped”输出
What actually is "Escaped" & "Unescaped" output?
“转义”和“未转义”输出实际上是什么?
Is it like "include once" & "include"?
就像“包含一次”和“包含”一样?
(Google giving no result about this)
(谷歌对此没有给出任何结果)
回答by thefourtheye
Escaping and unescaping are useful to prevent Cross Site Scripting(XSS) attack. It is one of the common web attacks, since it will be easy to create an attack vector if the site is not designed carefully. Its ranked number 3 in the OWASP's Top 10 vulnerabilities of 2013.
转义和非转义对于防止Cross Site Scripting(XSS)攻击很有用。它是常见的 Web 攻击之一,因为如果站点设计不仔细,很容易创建攻击向量。它的排名number 3 in the OWASP's Top 10 vulnerabilities of 2013。
The main intention is to, NOTto let the browser execute or interpret the HTTP response in a different way than intended.
主要目的是不要让浏览器以与预期不同的方式执行或解释 HTTP 响应。
For example, lets say you have a web page which accepts the user to enter his address and you want the user to confirm it in the next page. So, you are getting the address entered by the user and displaying it in the next page. If the user enters a valid address, it will not be a problem. What if the user enters something like this
例如,假设您有一个接受用户输入地址的网页,并且您希望用户在下一页确认。因此,您将获得用户输入的地址并将其显示在下一页中。如果用户输入有效地址,则不会有问题。如果用户输入这样的东西怎么办
<script>
alert("Welcome");
</script>
Your next page will simply produce an alert box saying Welcome. Now, consider this case. You are writing a blogging application, and the user enters the above seen script in the text box provided. You ll be storing it in DB and whoever wants to see your blog will get to see that alert box. Worst thing is, if the attacker puts that in an infinite loop, whoever visits that blog will not be able to read the content at all.
您的下一页将简单地产生一个警告框说Welcome。现在,考虑这个案例。您正在编写一个博客应用程序,用户在提供的文本框中输入上面看到的脚本。您将把它存储在数据库中,任何想要查看您博客的人都会看到该警报框。最糟糕的是,如果攻击者将其置于无限循环中,那么访问该博客的人将根本无法阅读内容。
This is just one of the basic attacks, which is possible if you don't escape the text.
这只是基本攻击之一,如果你不逃避文本,这是可能的。
So, normally, the text user entered will be escaped and then stored in DB. For example, the above seen attack vector (the script tag thing) will become like this, after HTML escaping
因此,通常情况下,用户输入的文本将被转义,然后存储在 DB 中。比如上面看到的攻击向量(脚本标签的东西)会变成这样,经过HTML escaping
<script><br/> alert("Welcome");<br/></script>
Now, browser will not consider this as a script element but a HTML element, so it will display it as
现在,浏览器不会将其视为脚本元素,而是将其视为 HTML 元素,因此会将其显示为
<script>
alert("Welcome");
</script>
instead of executing it.
而不是执行它。
回答by milandjukic88
Escape: This function encodes special characters, with the exception of: * @ - _ + . / http://www.w3schools.com/jsref/jsref_escape.asp
转义:此函数对特殊字符进行编码,但以下情况除外: * @ - _ + 。/ http://www.w3schools.com/jsref/jsref_escape.asp
Unescape: The unescape() function decodes an encoded string. http://www.w3schools.com/jsref/jsref_unescape.asp
Unescape:unescape() 函数对编码的字符串进行解码。 http://www.w3schools.com/jsref/jsref_unescape.asp
