如何清理JS输入

时间:2019-11-08 11:17:36

标签: javascript laravel

嗨,我有一个Java脚本代码来处理模态和一些输入数据。代码工作正常,但是现在在代码扫描后我遇到了问题。扫描工具给我 潜在客户XSS 错误,并要求我清理输入内容。

错误说明:

Method $ at line 484 of public/js/Activity/dailyActivity.js gets user input for the attr element. This element’s
value then flows through the code without being properly sanitized or validated and is eventually displayed to
the user in method $ at line 484 of public/js/Activity/dailyActivity.js. This may enable a Cross-Site-Scripting
attack.

JS代码:

var job_id;

    // Delete action
    $(document).on("click", ".deleteButton", function() {
        var jobcycid = $(this).attr("data-jobcycid");
        job_id = $(this).attr("id");
        $("#deleteModal").modal("show");
        $("#jcId").html(jobcycid);
    });

我不太擅长JS,但仍处于初学者水平。谁能告诉我如何清理此输入?

扫描报告突出显示以下几行:

....
485. var jobcycid = $(this).attr("data-jobcycid");
....
488. $("#jcId").html(jobcycid);

1 个答案:

答案 0 :(得分:0)

我找到了解决方案。

我创建了以下函数来清理从HTML值生成的任何变量:

// Sanitize and encode all HTML in a user-submitted string
    var sanitizeHTML = function(str) {
        var temp = document.createElement("div");
        temp.textContent = str;
        return temp.innerHTML;
    };

然后您可以使用它来清理变量:

var jobcycid = sanitizeHTML($(this).attr("data-jobcycid"));