我有全局$ .ajaxPrefilter函数,可以像这样过滤XSS的值:
if (typeof filterXSS == 'function') {
$.ajaxPrefilter(function(options, origOptions, jqXHR) {
if (typeof options.data == 'string') {
var object = {};
options.data.split('&').forEach(function(pair) {
pair = pair.split('=');
object[pair[0]] = decodeURIComponent(pair[1].replace(/\+/g, ' '));
});
var newData = {};
options.data = Object.keys(object).map(function(key) {
var value = filterXSS(object[key]);
return key + '=' + encodeURI(value.replace(/ /g, '+'));
}).join('&');
} else {
console.log(typeof options.data);
console.log(options.data);
}
});
}
它工作正常,除非我用这样的FormData
调用ajax请求:
var file = files.shift();
if (file) {
var formData = new FormData();
formData.append(file);
formData.append('value', '<script>alert("x");</script>');
$.ajax({
method: 'POST',
url: $form.attr('action'),
data: formData,
cache: false,
contentType: false,
processData: false
});
}
如何在FormData
内处理$.ajaxPrefilter
,我尝试迭代options.data
,但只能追加:
for (var i in options.data) {
console.log(i);
}