问题描述

是否有一个在ReactJS中滥用dangerouslySetInnerHTML的例子？

每次我查看它时，只是有人挥手并说跨站点脚本。 / p>

我见过使用css加载npm模块加载CSS文件的dangerouslySetInnerHTML：

 从'../static/css/styles.css'导入{stylesheet，classNames} 
< Head>< style dangerouslySetInnerHTML = {{__ html：stylesheet}} />< /头> 
  

我正在考虑使用dangerouslySetInnerHTML来处理导致我的社交媒体共享按钮的一些脚本标签团队麻烦。

我们非常感谢代码示例以及如何使用XSS攻击某个页面的解释！

 < span dangerouslySetInnerHTML = {someTextSubmittedByAUser}>< / span> 
  

想象一下，如果您的页面上有评论部分，并且有人提交了评论：

 < script> while（1）{}< / script> 
  

您刚刚将其作为内部HTML传递给某个节点。现在，任何点击加载该评论的页面的人都会将其标签锁定。

人们可以做的事情要多得多。例如，复制您的cookie并将它们发送到远程服务器。

Is there an example of misuse of dangerouslySetInnerHTML in ReactJS?

Everytime I look this up, it's just someone waving their hand and saying "cross site scripting."

I've seen dangerouslySetInnerHTML used to load CSS files with a css loading npm module:

import {stylesheet, classNames} from '../static/css/styles.css'
<Head><style dangerouslySetInnerHTML={{__html: stylesheet}} /></Head>

And I'm contemplating using dangerouslySetInnerHTML for some script tags for social media share buttons that have been causing my team trouble.

Code examples and explanations of how one would go about hacking a page with XSS would be highly appreciated!

<span dangerouslySetInnerHTML={someTextSubmittedByAUser}></span>

Imagine if you had a comment section on your page and someone submitted a comment with:

<script>while(1){}</script>

and you just passed that as the inner HTML to some node. Now anyone who hits a page which loads that comment will have their tab lock up.

There are far more nefarious things people can do. Copying your cookies and send them to a remote server, for example.

这篇关于坏的React dangerouslySetInnerHTML示例？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！