防止XSS攻击的过滤器简单实现

function filter(xss) {
  var whiteList = ['h1', 'h2']; // 白名单
  var translateMap = { '<': '<', '>': '>' };
  return xss.replace(/<\/?(.*?)>/g, function(str, $1, index, origin) {
    console.log($1);
    if (whiteList.indexOf($1) >= 0) {
      return str;
    }
    return str.replace(/[<>]/g, function(str) {
      return translateMap[str];
    });
  });
}
var search = location.search;
var query = search.slice(1);
var params = query.split('&').map(function(str) {
  var list = str.split('=');
  var key = list[0];
  var val = list[1];
  return { key: decodeURIComponent(key), val: decodeURIComponent(val) };
});
console.log(params);
var xss;
params.some(function(item) {
  xss = item.val;
  return true;
});
console.log(xss);
console.log(filter(xss));
document.open();
document.write(xss);
document.write(filter(xss));
document.close();

//eg http://127.0.0.1:8080/?xss=

1233

 

你可能感兴趣的:(防止XSS攻击的过滤器简单实现)