main.xxxxxxxxxxxx.js 在构建文件中包含与 XSS 漏洞相关的 img src=x onerror=alert(1)。有没有办法摆脱它?
main.xxxxxxxxxxxx.js in build file contains img src=x onerror=alert(1) which is related to XSS vulnerability. Is there a way to get rid of it?
在 Angular 中进行生产构建时,创建的 main.xxxxxxxx.js 包含代码
<img src="</style><img src=x onerror=alert(1)"//>
我们可以找到执行 Ctrl + F 的操作。我已经在多个项目(包括样板项目)中确认了该行为。由于这行特定的代码由于与 XSS 攻击有关而看起来是恶意的,有没有办法摆脱它?另外,有人可以解释为什么这条可疑的线存在,如果它有任何目的,或者它是 Angular 的错误?
can someone explain why this suspicious line exist if by any chance
好像是作为清理脚本插入的,你可以看看being added here
inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
并且这个 class 有描述
/**
* This helper class is used to get hold of an inert tree of DOM elements containing dirty HTML
* that needs sanitizing.
* Depending upon browser support we must use one of three strategies for doing this.
* Support: Safari 10.x -> XHR strategy
* Support: Firefox -> DomParser strategy
* Default: InertDocument strategy
*/
spec file references a DOMPurify release which seems to be related to a Mozilla security bug。 DOMPurify 发行说明状态:
Users who install this latest release are not affected by the bug
anymore as DOMPurify fixes around the problem and mitigates the issue
by not trusting Gecko's innerHTML implementation any much longer.
Instead of the combination of document.implementation and
doc.body.outerHTML, DOMPurify is now using the DOMParser feature
available in all modern browsers.
所以这段代码是 清理 DOM 以防止此 XSS 攻击。它本身并不是一个漏洞。
is there a way to get rid of it?
你不想摆脱这个,这是好事
在 Angular 中进行生产构建时,创建的 main.xxxxxxxx.js 包含代码
<img src="</style><img src=x onerror=alert(1)"//>
我们可以找到执行 Ctrl + F 的操作。我已经在多个项目(包括样板项目)中确认了该行为。由于这行特定的代码由于与 XSS 攻击有关而看起来是恶意的,有没有办法摆脱它?另外,有人可以解释为什么这条可疑的线存在,如果它有任何目的,或者它是 Angular 的错误?
can someone explain why this suspicious line exist if by any chance
好像是作为清理脚本插入的,你可以看看being added here
inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
并且这个 class 有描述
/**
* This helper class is used to get hold of an inert tree of DOM elements containing dirty HTML
* that needs sanitizing.
* Depending upon browser support we must use one of three strategies for doing this.
* Support: Safari 10.x -> XHR strategy
* Support: Firefox -> DomParser strategy
* Default: InertDocument strategy
*/
spec file references a DOMPurify release which seems to be related to a Mozilla security bug。 DOMPurify 发行说明状态:
Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.
所以这段代码是 清理 DOM 以防止此 XSS 攻击。它本身并不是一个漏洞。
is there a way to get rid of it?
你不想摆脱这个,这是好事