Correct grammar errors in 04.3.md
This commit is contained in:
Anchor
@@ -1,19 +1,19 @@
|
||||
# 4.3 Cross site scripting
|
||||
|
||||
Today's websites have much more dynamic content in order to improve user experience, which means we can provide dynamic information depends on every individual's behavior. However, there is a thing called "Cross site scripting" (known as "XSS") always attacking dynamic websites, and static websites are completely fine at this time.
|
||||
Today's websites have much more dynamic content in order to improve user experience, which means that we must provide dynamic information depending on every individual's behavior. Unfortunately, there is a thing called "Cross site scripting" (known as "XSS") always attacking dynamic websites, from which static websites are completely fine at this time.
|
||||
|
||||
Attackers often inject malicious scripts like JavaScript, VBScript, ActiveX or Flash into those websites that have loopholes. Once they have successful injection, your user information will be stolen and your website will full of spam, also they can change user settings to whatever they want.
|
||||
Attackers often inject malicious scripts like JavaScript, VBScript, ActiveX or Flash into those websites that have loopholes. Once they have successfully injected their scripts, user information can be stolen and your website can be flooded with spam. The attackers can also change user settings to whatever they want.
|
||||
|
||||
If you want to prevent this kind of attack, you'd better combine two following approaches:
|
||||
If you want to prevent this kind of attack, you should combine the two following approaches:
|
||||
|
||||
- Verification all data from users, which we talked about previous section.
|
||||
- Give special handling for data that will be responded to clients, in order to prevent any injected script runs on browsers.
|
||||
- Verification of all data from users, which we talked about in the previous section.
|
||||
- Carefully handle data that will be sent to clients in order to prevent any injected scripts from running on browsers.
|
||||
|
||||
So how can we do these two jobs in Go? Fortunately, package `html/template` has some useful functions to escape data as follows:
|
||||
So how can we do these two things in Go? Fortunately, the `html/template` package has some useful functions to escape data as follows:
|
||||
|
||||
- `func HTMLEscape(w io.Writer, b []byte)` escapes b to w.
|
||||
- `func HTMLEscapeString(s string) string` returns string after escaped from s.
|
||||
- `func HTMLEscaper(args ...interface{}) string` returns string after escaped from multiple arguments.
|
||||
- `func HTMLEscapeString(s string) string` returns a string after escaping from s.
|
||||
- `func HTMLEscaper(args ...interface{}) string` returns a string after escaping from multiple arguments.
|
||||
|
||||
Let's change the example in section 4.1:
|
||||
|
||||
@@ -21,13 +21,13 @@ Let's change the example in section 4.1:
|
||||
fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password")))
|
||||
template.HTMLEscape(w, []byte(r.Form.Get("username"))) // responded to clients
|
||||
|
||||
If we try to input user name as `<script>alert()</script>`, we will see following content in the browser:
|
||||
If someone tries to input the username as `<script>alert()</script>`, we will see the following content in the browser:
|
||||
|
||||
|
||||
|
||||
Figure 4.3 JavaScript after escaped
|
||||
|
||||
Functions in package `html/template` help you escape all HTML tags, what if you just want to print `<script>alert()</script>` to browsers? You should use `text/template` instead.
|
||||
Functions in the `html/template` package help you to escape all HTML tags. What if you just want to print `<script>alert()</script>` to browsers? You should use `text/template` instead.
|
||||
|
||||
import "text/template"
|
||||
...
|
||||
@@ -38,8 +38,8 @@ Output:
|
||||
|
||||
Hello, <script>alert('you have been pwned')</script>!
|
||||
|
||||
Or you can use type `template.HTML`:
|
||||
Variable content will not be escaped if it's type is `template.HTML`.
|
||||
Or you can use the `template.HTML` type :
|
||||
Variable content will not be escaped if its type is `template.HTML`.
|
||||
|
||||
import "html/template"
|
||||
...
|
||||
@@ -50,7 +50,7 @@ Output:
|
||||
|
||||
Hello, <script>alert('you have been pwned')</script>!
|
||||
|
||||
One more example of escape
|
||||
One more example of escaping:
|
||||
|
||||
import "html/template"
|
||||
...
|
||||
|
||||
Reference in New Issue
Block a user