gpt4 book ai didi

angular - 在 Angular 5 中使用 [innerHTML] 安全吗?

转载 作者:太空狗 更新时间:2023-10-29 17:18:53 30 4
gpt4 key购买 nike

我看到过相互矛盾的报告,即在 Angular2+ 中使用 [innerHTML] 标签是危险的。情况仍然如此还是已经修复?

例如这段代码是否危险:

<div [innerHTML]="post.body"></div>

最佳答案

here 中所述(在 Angular 网站本身),看起来没有什么后顾之忧,因为 Angular 会自动识别不安全的值并对其进行清理。

这是里面写的:

Interpolated content is always escaped—the HTML isn't interpreted and the browser displays angle brackets in the element's text content.

For the HTML to be interpreted, bind it to an HTML property such as innerHTML. But binding a value that an attacker might control into innerHTML normally causes an XSS vulnerability. For example, the code contained in a <script> tag is executed:

export class InnerHtmlBindingComponent {
// For example, a user/attacker-controlled value from a URL.
htmlSnippet = 'Template <script>alert("0wned")</script> <b>Syntax</b>';
}

Angular recognizes the value as unsafe and automatically sanitizes it, which removes the <script> tag but keeps safe content such as the text content of the <script> tag and the <b> element.

所以我认为,是的,它是安全的。

关于angular - 在 Angular 5 中使用 [innerHTML] 安全吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47395483/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com