对于门户中的每个表单,它需要确保用户输入被“清理”以防止跨站点脚本 (XSS) 攻击。当用户输入包含恶意代码(例如 JS 脚本)时,这些攻击就会发生,这些恶意代码最终可能会在门户的某些界面上呈现并因此执行,这可能会对其他用户产生影响。
当您遍历数据时,您会遇到嵌套对象和数组,您的逻辑必须能够相应地检测和处理这些对象和数组。当循环到达一个对象或数组时,您可能必须使用递归来正确处理它。
import DOMPurify from 'dompurify';
/**
* Sanitizes all fields in `data` against XSS attacks
* @param {*} data
* @returns `cleanData`
*
*/
const rawData = {
identity: {
name: {
first: 'John',
middle: '<script type="text/javascript">var test="https://www.sknvibes.com/example.php?cookie_data=" + escape(document.cookie);</script>',
last: 'Doe'
}
},
location: {
address: {
street: {
number: 311,
name: 'Franklin <script>alert(document.cookie)</script> Drive'
}
},
},
first: 'John',
middle: '<script type="text/javascript">var test="https://www.sknvibes.com/example.php?cookie_data=" + escape(document.cookie);</script>',
last: 'Doe',
jobTitle: "Software Dev<body onload=alert('something')>;eloper",
notificationPreferences: ['email', 'SMS', 'phone', '<img onerror="alert(\'Hacked!\');" src="invalid-image" />']
}
const sanitizeInput = (data) => {
const cleanData = {}
console.log("Before cleaning: ", data)
console.log("Before cleaning: ", rawData)
// loop over data and sanitize each field
// for (const property in data) {
// cleanData[property] = DOMPurify.sanitize(data[property], {USE_PROFILES: {html: false, svg: false}})
// // this logic needs to be improved to allow for deep iterations as well as treating complex objects appropriately
// sanitizeInput(rawData[rawData.identity])
// console.log("test:", rawData.identity)
// }
// for (const property in rawData.identity) {
// rawData[property] = DOMPurify.sanitize(rawData[property], {USE_PROFILES: {html: false, svg: false}})
// }
if (rawData) {
rawData[rawData] = DOMPurify.sanitize(rawData.identity, {USE_PROFILES: {html: false, svg: false}})
console.log("just a test: ",rawData.identity)
console.log("After cleaning1: ", rawData)
return
}
sanitizeInput(rawData[rawData.identity])
//console.log("After cleaning: ", cleanData)
return cleanData
}
export default sanitizeInput