javascript - is my anti xss function safe? -
i have javascript functions on website, don't know if safe utilize them.
here code :
// works php's $_get function get(name){ name=name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]"); regexs="[\\?&]"+name+"=([^&#]*)"; regex=new regexp(regexs); results=regex.exec(window.location.href); if(results==null) homecoming ''; homecoming results[1]; } // , here anti xss filter var param = unescape(decodeuri(get("q"))); param = param.replace(/<(.*?)>/gi, ""); someelement.innerhtml = param; is possible bypass filters?
do not seek , find xsses on way application. programme may transform info internally in such way filter create circumventable.
instead, apply proper html encoding of info on way out of application. way avoid vulnerabilities.
javascript security filter xss
No comments:
Post a Comment